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Abstract 



Quantum information theory investigates the information content of quantum 
systems, hence generalizes classical information theory. The classical bits are 
generalized into quantum bits (two-level systems). Unlike classical bits, each 
quantum bit can be in a superposition of its two basis states, and several quan- 
tum bits can be entangled to each other. Unlike classical bits, quantum bits 
cannot be duplicated, and furthermore, the state of a quantum bit cannot be 
identified, unless more (classical) information is available. This property of 
quantum information was used to suggest new type of cryptography, quantum 
cryptography, which uses quantum bits to encode classical bits, before providing 
them to possible adversaries. 

Quantum cryptography suggests various possibilities which are beyond the 
abilities of classical cryptography. In particular, it suggests schemes for an 
information-theoretic secure key distribution, and an alternative to the exist- 
ing "public/secret key distribution" which cannot be information secure, and 
are not proven to be computationally secure. The main advantage of quantum 
schemes over any classical scheme is the fact that quantum information cannot 
be passively intercepted, hence eavesdropping attempts induce noise. Unfor- 
tunately, in the presence of noisy channels and devices, none of the existing 
schemes for quantum key distribution is proven secure: the eavesdropper can 
obtain some small amount of information while inducing an acceptable noise; 
furthermore, the legitimate users must correct their data using some error cor- 
rection code, and the eavesdropper can obtain this information as well. Classical 
privacy amplification techniques were suggested to yield a secure final key, but 
there is no complete proof of security yet. As is common in cryptography, a 



promising suggestion might be found worthless later on; Future technology, such 
as the ability to maintain quantum states for a long time, could be destructive 
(or even fatal) to all such schemes. 

This thesis investigates the importance of quantum memory in quantum 
cryptography, concentrating on quantum key distribution schemes. 

In the hands of an eavesdropper - a quantum memory is a powerful tool, 
putting in question the security of quantum cryptography; Classical privacy am- 
plification techniques, used to prove security against less powerful eavesdrop- 
pers, might not be effective when the eavesdropper can keep quantum states 
for a long time. In this work we suggest a possible direction for approaching 
this problem. We define strong attacks of this type, and show security against 
them, suggesting that quantum cryptography is secure. We start with a com- 
plete analysis regarding the information about a parity bit (since parity bits are 
used for privacy amplification). We use the results regarding the information on 
parity bits to prove security against very strong eavesdropping attacks, which 
uses quantum memories and all classical data (including error correction codes) 
to attack the final key directly. 

In the hands of the legitimate users, a quantum memory is also a useful tool. 
We suggest a new type of quantum key distribution scheme where quantum 
memories are used instead of quantum channels. This scheme is especially 
adequate for networks of many users. The use of quantum memory also allows 
reducing the error rate to improve large scale quantum cryptography, and to 
enable the legitimate users to work with reasonable error rate. 
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Chapter 1 

Introduction to Quantum 
Cryptography and Quantum 
Memory 



Classical information theory, originated by Shannon [p3fl , quantifies the intuitive 
concept of information as it appears in a statement like 'this page contains a lot 
of information'. It serves as an invaluable tool in communication theory, data 
processing (e.g., compression), computation theory, cryptography and many 
other areas in electrical engineering and computer science. 

Information is deeply related to physical objects; As such, classical infor- 
mation theory can deal only with cases where the carriers of information are 
classical object (even if underneath there is a deeper quantum reality). In the 
quantum world it is natural to extend this theory to the more general "quan- 



tum information" theory 105, B4L 65, 34, p9, E4L Rq, |92||, which considers the 



information content of a quantum system. We are mainly interested in cases 
where information is encoded into quantum states, and later on decoded back 
to classical information. The quantum information is transformed to classical 
information when a test occurs in a laboratory, due to the projection postulate 
of conventional quantum mechanics. A quantum state (in general, a density 
matrix) p, has a practical meaning: it allows us to predict probabilities regard- 
ing various physical tests. Its expectation value regarding a specific state 0, 
(4>\p\4>), can be measured in the laboratory (at least, in principle). In this sense, 
it is a subjective property of a system: non-pure states are defined as statistical 
mixtures of pure states]], hence one considers a state to be non pure due to hav- 
ing partial knowledge on the preparation procedure. If a system is entangled 
with other systems which are not available to us, then we can only consider 
measurements on our system, and our prediction ability is more limited; we 
have to "trace out" the degrees of freedom of the other systems, in order to be 



1 Most books use this definition. Unlike most books Landau and Lifshitz j38| use a different 
definition which assigns objective meaning to the density matrix. In this work we consider 
only the subjective meaning of the density matrix (namely, prediction abilities which can be 
verified in the laboratory). 



able to predict the probabilities of outcomes of various tests performed in our 
laboratory. The state of our system depends on classical information which we 
might obtain from people who hold the other systems, since such information 
could influence our possible predictions. 

There are various aspects of quantum information, such as entropy of quan- 
tum systems [ 105 , |64}| , the coding theorem for quantum information [^, |63| . 



optimal identification of quantum states |34|, £9], |89], |2^, (49] , quantum noise 
in transmission channels f29j, communication using quantum states and many 
others. This work deals with quantum communication and cryptography. 

In communication theory, information is transmitted from one person to 
another through a channel. Information theory tells us how well a state (say, a 
string of bits) can be reproduced after it passed through a noisy channel. Thus, 
it quantifies the reliability of the received state. In classical communication, 
the information is carried by distinguishable signals, each of which represents a 
distinct letter of some alphabet (usually binary). Each signal can be duplicated 
and can also be identified unambiguously unless some noise is added. When a 
small amount of noise exists, the state could still be identified with excellent 
probability of success if enough redundancy is added to the transmitted data. 
In quantum communication, the information is carried by signals which are not 
necessarily distinguishable [|34], ^9], |25f . In general, we can omit the specification 
of the carriers and consider only their quantum states (unless we deal with 
implementations). For our purposes, it usually suffices to choose an abstract 
two-level system (with a basis |0) and |1)) to replace the classical bit. A general 
state of a two-level system a|0) + /3|1) with \a\ 2 + \(3\ 2 = 1, is called a "qubit" 
(quantum bit) p2| ; any larger system consists of many qubits. If one uses 
non-orthogonal states to represent classical signals '0' and '1', such that the 
overlap of the two states is not zero, the encoded data cannot be duplicated nor 
identified unambiguously. 

In cryptography, information must always remain secret from some people. 
In this scientific area, human intentions play an important role, and we must 
always assume that people wish to learn this secret data. For instance, a sender, 
Alice, wishes to send some data to a receiver, Bob, in a way that an eavesdrop- 
per, Eve, cannot learn that data. In this case, information theory may tell us 
the maximal amount of information available to Eve, depending on her abilities. 
Thus, it quantifies the security of the secret data. An eavesdropper listening 
to classical communication can (in principle) remain unexposed, since the data 
can always be duplicated. Quantum communication allows for more. Using 
non-orthogonal quantum states to transmit classical bits, the signals cannot be 
duplicated [|107|| , and any gain of information about them necessarily induces 
noise. Thus, (unlike classical channels) quantum channels cannot be passively 
intercepted, when non-orthogonal quantum states are transmitted! This fact 
was used to suggest a new type of cryptography -- quantum cryptography - 
where the use of non-orthogonal states might permit performing new tasks, 
which are beyond the ability of classical cryptography. 

One of the main goals of cryptography, the secure transmission of messages, 



can be achieved using a secret key known only to the sender, Alice, and the 
receiver, Bob. The problem is how to distribute the key. Achieving a secure key 
distribution is among the most important goals of cryptography, and the cur- 
rent ways this is done are either very expensive or not proven secure. The main 
achievement of quantum cryptography is the design of schemes for secure key 
distribution. They are using non-orthogonal quantum states, hence, any eaves- 
dropping attempt induces noise and can be noticed by the legitimate users^. 
The goal of any quantum key distribution protocol is to generate a common key 
while not leaking any significant information to an unrestricted adversary; If the 
amount of information leaked to the eavesdropper is much smaller than a single 
bit, the key is said to be information-theoretic secure. The classical "public 
key distribution" and many other protocols in classical cryptography are not 
designed to withstand adversaries who have unlimited computation abilities; 
i.e., they can be at most computationally secure. This advantage of quantum 
cryptography would not be crucial if indeed classical cryptography was compu- 
tationally secure. However, the existing schemes for classical key distribution 
rely upon unproven computational assumptions (such as the difficulty of factor- 
ing large numbers). 

In addition to key distribution, it is important to mention a very similar task 
- namely "key expansion" . In a key expansion protocol some short amount of 
information (say, m bits) is shared in advance between Alice and Bob, and it is 
used to derive long common keys (say, of total length n much larger than m) . If 
such an expansion leaks only an exponentially small amount of information to 
an eavesdropper (say, 2~ m bit) the final key is still information-theoretic secure. 
Quantum key distribution demands, in addition to the quantum channel, also 
an "unjammable" classical channel in which the transmitted data can possibly 
be monitored passively, but not modified. This requirement || can be derived 
in principle using schemes for broadcasting the classical messages. Alterna- 
tively, it can be fulfilled if the legitimate users can identify each other through 
the classical channel. In cryptographic terms, it means that they share some 
information in advance, thus the so called "quantum key distribution" should 
be better called "quantum key expansion". Having clarified this point, we shall 
keep using the "wrong" term as is common. 

Quantum cryptography was invented in 1969 by Wiesner ||106|| in his paper on 



"conjugate coding" (unpublished by that time). Ten years later, a collaboration 
between Bennett and Brassard (based on Wiesner's idea) was the actual starting 
point of quantum cryptography M , and lead to "quantum key distribution" in 
1984 ||. Their basic idea is to use non-orthogonal quantum states for key 
distribution since such states cannot be cloned by a potential eavesdropper. 
They used four possible states, therefore, we refer to their scheme as the four- 



state scheme. In 1991 Ekert |l. | proposed (following a suggestion of Deutsch) to 
use quantum nonlocality for cryptographic purposes, and the connection of his 
scheme to the original quantum key distribution scheme was demonstrated by 



For a more accurate analysis of this delicate point see K 



Bennett, Brassard and Mermin |Tl| . We refer to their version of Ekert scheme as 
the EPR scheme. Another important scheme was later proposed by Bennett ||, 
showing that quantum key distribution can be performed even if one uses only 
two non-orthogonal states. We refer to this scheme as the two-state scheme. Any 
of these schemes can be used to design a quantum key distribution protocol, 
where a quantum channel and an unjammable classical channels are used to 
transmit a secret key. If Alice and Bob identify errors (by the discussion over 
the classical channel) they quit the protocol. Thus, Eve can force them to quit 
the protocol, but she cannot cheat them into thinking she is not listening, and 
still get information about their key. 

The first prototype for quantum key distribution was built in 1989 0. It 
provided a proof of feasibility by performing a distribution over a distance of 30 
centimeters. Since then, much more practical prototypes were built for a dis- 



tance of 30 kilometers |74| in a coil, a distance of 24 kilometers in underground 
optical fiber [5S|, and 23 kilometers in underwater optical fiber [J84| . The imple- 
mentations are using either photon polarization (as originally proposed in ||) 
or phase and interferometry (as in ||). Unfortunately, they are mainly using 
weak pulses of coherent light instead of Fock states of single photons, and this 
creates various problems of security, due to the use of a Hilbert space which is 
different from the Hilbert space used in the theoretical schemes. This problem 



is considered in [p8j |110| . It is yet unclear whether future practical quantum key 
distribution will be based upon weak coherent pulses or upon single photons. 
The basic theoretical schemes already raise the main fundamental questions 
regarding quantum key distribution, thus we shall not consider here the more 
complicated practical schemes which use weak coherent pulses. 

Most of the fundamental questions in quantum key distribution (and more 
generally, in quantum cryptography) are due to activities which are permitted 
by the rules of quantum mechanics, but are not technologically feasible. The 
ability to maintain quantum states unchanged for long times was ignored till 
recently, but today it strongly influences any suggestion (or analysis) in quan- 
tum cryptography. In this work we investigate the role of quantum memory in 
quantum cryptography, and mainly in quantum key distribution. 

The most important question in quantum cryptography is to determine how 
secure it really is. Any practical implementation must take into account that 
some errors are inevitable due to errors in creation, transmission and detection 
of quantum states. The legitimate users must be able to withstand some errors, 
and furthermore, must correct them to yield a final (shorter) common key. Thus, 
Eve can gain some information from both the quantum states (if she induce less 
errors than permitted) and the error- correct ion data (transmitted through a 
classical channel). Eve's total information depends on the permitted error rate, 
on her attack and on the error- correct ion code used by Alice and Bob. Clearly, 
it is not negligible. To overcome this problem, and enable the derivation of a 
final key which is both reliable, and secure, privacy amplification schemes were 
designed pj], O, H. Their goal is to reduce Eve's information to be as small as 



desired, for the price of shortening the final key even further. To do so, collective 



properties of substrings of bits (e.g., the parity of a substring) are used as the 
final key. 

In early papers on quantum cryptography, the security of quantum key dis- 
tribution was studied under the assumption that the eavesdropper is performing 
standard (von Neumann) measurements on the photons on their way from Alice 
to Bob. Such analysis can be found, for instance, in |57|, ||, where in ]57| the 
issue of Eve's information gain versus the disturbance to Bob's state was dis- 
cussed, and in || Eve's information on the final string was also considered. It is 
rather clear ||, |13| (although, not explicitly proven) that privacy amplification 
is effective against any attack of that type, implying the security of quantum 
key distribution against such attacks. 

Unfortunately, quantum mechanics permits much more sophisticated eaves- 
dropping strategies, against which there are no security proofs!]. 



Quantum gates are currently under investigation by both theorists |36, 41 



and experimentalists [^, |103| , |52| . Eve can use quantum gates to per- 



form translucent attacks f45fl , which are not "opaque" (intercept /resent) as the 
standard measurements are. In translucent attacks Eve interacts with Alice's 
particle as follows: she attaches an auxiliary particle (a probe) to each transmit- 
ted particle by performing some unitary transformation on them together. After 
the interaction, Alice's particle is sent from Eve to Bob, in a way that Eve does 
not know its exact state. If the interaction is weak, it results in a very small 
disturbance to the state of the transmitted particle. Information gain versus 



disturbance in such attacks is improved compared to "opaque" attacks ]45| and 
was investigated further ]5T], fjg| . When attacking the four-state scheme of 0, 
the measurement on the probes can be delayed till receiving the data regarding 
the basis used by Alice. The main advantage of translucent attack over opaque 
attack is that it can be performed on all the transmitted particles. In this case 
it provides very little information on each particle, but it might provide much 
more information on a collective property used as the final key! Fortunately, it 
is clear |J that privacy amplification is still effective against such a single par- 
ticle attack, and a partial proof was also provided J75) . A demonstration of the 
effectiveness of privacy amplification against such attacks is given in Chapter 0; 
this is done for an explicit but typical example. 

Unfortunately, the effectiveness of privacy amplification against single-particle 
attacks is not sufficient. Eve can do much more than such an attack if she is 
capable of keeping the particles in quantum memories. In this case she can 
perform joint attacks which are directed towards the final key, and the effec- 
tiveness of privacy amplification against them is in question. Such attacks were 
considered in some papers H |I0| , and were analyzed only in case of error- free 



channels |109|| (the analysis was done for quantum oblivious transfer, but the 



proof applies to quantum key distribution [75| as well). In Chapter |2| we explain 
the security problem in details, and we present a restricted class of joint attacks 
which we call collective attacks, in which each transmitted particle is attached 



But see Section 2.5. 



to a separate probe. All probes are measured together after Eve gets all classical 
data, and the attacks are directed against the final key. Such joint attacks are 
much simpler than the most general joint attacks, however, they are still general 
enough to present the power of joint attacks. Furthermore, we could not find 
any joint attack which is stronger than the collective attacks. Thus, we suggest 
a new approach to the security problem: 

• to prove the security against collective attacks. 

• to prove that collective attacks are the strongest joint attacks. 

While we have done a lot of progress regarding the first issue, we didn't do 
much progress regarding the second. We only explain the randomization argu- 
ment which provides the intuition that collective attacks are the strongest joint 
attacks. 

The main achievement of this work is to provide various proofs of the security 
of the final key (the parity bit) against a very powerful eavesdropper who has 
both quantum gates and quantum memories. In Chapter |3] we find the optimal 
information regarding the parity bit, obtained by any type of measurement, 
and we show that the best measurement is indeed a joint measurement in an 
entangled basis [15|. In Chapter f| we consider various realistic attacks on the 



parity bit which use both quantum and classical (error correction) information 
and we prove security against them. Our results provide strong evidence that 
quantum key distribution is secure. We consider various collective attacks which 



leave the eavesdropper with probes in pure states |2(J and mixed states pi 
and we prove security against them. 



In parallel to our work, Mayers [76| and a group in England 38 came up 



with other approaches to the joint attack, and several works studied the single- 



particle attacks [[H], |5T], [T^j . The techniques presented in these papers may well 
prove useful in advancing the issue of the security of quantum key distribution. 
In addition to studying the use of a quantum memory to the benefit of 
the eavesdropper in quantum cryptography, we also study other applications of 
quantum memory, to the benefit of the legitimate users. In Chapter ^ we in- 
troduce a new scheme for quantum key distribution which is implemented with 
quantum memory and does not require quantum channels! It is a time-reversed 
EPR scheme and correlations between particles are introduced by projecting 
their states onto entangled states. Our scheme is especially suited for building 
a quantum cryptographic network of many users. A quantum memory plays 
an important role in the security problem also when the legitimate users are 
permitted to use it (ignoring the practicability of the scheme). In Chapter ^|we 
discuss new possibilities related to quantum memories: first, they become more 
available due to suggestions for quantum error correction [B3|, and fault-tolerant 
error correction ||96| . Second, new applications of quantum memories, namely 
the possibility to purify singlets |T2|], can be used to design quantum privacy 
amplification [J38"|. We connect the two issues together: we suggest quantum 



privacy amplification based upon quantum error correction, and discuss their 

10 



implications for quantum cryptography. This discussion corrects wrong impres- 
sions that the security problem has already been solved by quantum privacy 
amplification J38[ . Our new quantum privacy amplification suggests the surpris- 
ing possibility of using "quantum repeaters" for improving secure transmission 
of non-orthogonal quantum states over a long distance. 

The practical interest in quantum cryptography is clear. Furthermore, quan- 
tum cryptography raises very interesting physical questions: 

1. How is information split between two observers (Bob and Eve)? 

2. Is secure transmission of data possible under the laws of Physics? 

3. How do (reduced) density matrices (thus, predictions regarding the prob- 
abilities of various outcomes in any possible test) change due to additional 
classical information? 

The intensive research on quantum information, quantum cryptography and 
quantum computing already yielded (or helped improve) various surprising ad- 
vances in quantum mechanics such as teleportation, generalized measurements, 
fast quantum computation, purification of singlets, and preservation of qubits. 

The protocols considered here and the attacks against them are discussed in 
mathematical terms, and are required to be consistent only with the mathemat- 
ical foundations of quantum mechanics. We prefer to simplify the discussion as 
much as possible, thus we present simplified models (such as two-level systems, 
and pairs of two level systems), and not the more realistic models which are im- 
plemented in laboratories (such as weak coherent states). The only exception is 
the case of quantum memory. Due to its special role in this work, we give a brief 
overview of possible implementations. We shall frequently use the terms existing 
vs. future technologies, where we actually mean feasible in the near future vs. 
infeasible in the near (foreseeable) future. We follow the common literature of 
both theorists and experimentalists in order to decide how to classify each op- 
eration, without investigating further into the feasibility question. For instance, 
creating or measuring a singlet state (or any state of two two- level systems), 
and applying any single unitary transformations onto two two-level systems, are 
considered as existing although performing them in practice is still a problem. 
On the other hand, combining several such transformations on more than two 
two-level systems, and keeping quantum states for long times are considered as 
future technology. 

The distinction between existing and future technologies has a special role 
in quantum cryptography: the legitimate users are normally permitted to use 
existing technology only, while the opponents are permitted to use any operation 
consistent with the rules of quantum mechanics. Thus, a proof of security 
must hold against a "quantum" opponent and a practical protocol is performed 
by existing technology. In cases we permit the legitimate users to use future 
technology we explicitly say it, and we explain the motivation for it. 

In our work, we shall use alternately Dirac's bracket notation, vector nota- 
tion and spin notation |0) = LJ = | |), |1) = (j = I I), cos#|0) + sin^l) = 

11 



(sine) = cos ^l T) + sin^l |), etc. In case of spin in x direction we also denote 

|^) = (l/v / 2)(|T) + l!)) = ^G),etc. 

The rest of this introduction is organized as follows: The basics of clas- 
sical information are described in Section |1 . 1| . Quantum information theory, 
and mainly the use of quantum states for transmitting classical bits, are de- 



scribed in Section |1.2| . The principles of classical cryptography are described 
in Section |1.3| . We review the basic quantum key distribution schemes in Sec- 
tion [O], where we also explicitly present a key distribution protocol with all 
its details, and a detailed explanation of basic eavesdropping attacks and the 
security against them. We introduce quantum memory in Section |1.5| , in which 
we also discuss basic uses of quantum memories in quantum cryptography, and 
suggest implementations for a quantum memory. Recent progress in quantum 
computing |35|, |94| are deeply related to this work, although indirectly. A brief 
introduction to the exciting new developments in quantum computing is given 



in Section 1.6 



1.1 Classical Information 

Classical information theory 0, [ij quantifies the idea of information. If one 
tells us that the temperature on June 25 went up to about 30 degrees (Celsius) 
in Haifa, we would not gain much new information due to our a priori knowledge 
about the weather in that season. But if he tells us that it was snowing that day 
he surely provides us a lot of new information. To quantify this, some definitions 
are required. The self information of an event u is I(u) = log(l/ P(u)), where 
P{u) is the probability of the event, and where we always use log 2 so the basic 
unit is a bit. A rare event (e.g., snowing in June) has a large amount of self 
information. A multiplication of probabilities yields summation of information. 
The entropy of an ensemble A of events (letters) a 1; . . . , a n where each letter a, 
appears with probability P(aj) is the expected value of the self information 

n 

H(A) = E[log 2 (l/P(A))} = - y £ t P{a i )]o S (P(a i )) (1.1) 

and can be thought of as a measure of our lack of information on the unknown 
event in A. For instance, for a binary alphabet, H = — X^=i|l°g| = 1 if 
the letters appear with equal probability, and H = if one letter appears with 
certainty. The entropy of a binary alphabet with probabilities p and (1 — p) is 
denoted by H{p) 

H(p) = — p\ogp — (1 — p) log(l — p) . (1.2) 

Two ensembles of letters A and B might have dependent probability distri- 
butions. The trivial example is when A is the input alphabet for some infor- 
mation channel and B is the output. The source is assumed to be memoryless 
and stationary. An average distortion between input vector and output vector 

12 



is a measure for the channel quality. Usually an additive distortion measure is 
used g?(u,v) = YliLi d(ui,Vi) where d(ui,Vi) is a one letter distance. It is called 
the Hamming distance if d(ibi, vi) = for Ui = Vi and d(ui, vi) = 1 for U{ ^ Uj. 
For instance, the Hamming distance between the strings 000 and 111 is three. 
This measure can also be used as a measure of distinguishability of two input 
vectors (code words). In channel coding we increase the number of bits which 
encode each code word so that the additive Hamming distance between any two 
legitimate code words is increased. Hence, they can be distinguished even when 
the channel is noisy. Such techniques (known as error-correction techniques) 
enable receiving a reliable output when the channel is noisy. 

The relation between input and output of a transmission channel is described 
in terms of information p3, |j, and the Hamming distance can be a measure 



for the distortion of a string transmitted through the channel. The conditional 
probability of B — bi given that A = cij is P(B = bi\A = ctj) [we write P(6j|aj) 
for convenience]. The joint probability for both a,j and bi is P(bi, a,j). In case of 
independent probability distributions it is equal to P(bi)P(dj), and in general 
it is given by the Bayes probability law 

P(6 i |o i )P(o i ) = P(b h a,) = P{ aj \bi)P{bi) . (1.3) 

The Bayes probability law presents the symmetry of input and output. The 
conditional entropy is defined by 

H(B\A) = - E E P ^ h i) log p (k\a 3 ) (1.4) 

3 i 

where the sum is over the size of the input and the output alphabets. When A 
and B are independent, H(B\A) = H(B), meaning that we gain no information 
on B by being told what A is. Otherwise H(B\A) < H{B) meaning that 
our lack of knowledge about B is decreased when A is given. The gain in 
information when A is given is called the mutual information and is among the 
most important notions in information theory. The mutual information I(A; B) 
is symmetric in A and B. 

I {A; B) = H{B) - H{B\A) = H{A) - H{A\B) 

-ZZPM^^gL (1-5) 

In a perfect channel the output signals are completely determined by the 
input signals. The channel introduces no errors. A Binary Symmetric Channel 
(BSC) with input A and output B is a channel with binary alphabet where the 
signals are transported with symmetric distortion (i.e., equal error probabilities 
P e ). The optimal mutual information in this case is achieved when the input 
probabilities are also equal (hence also the output probabilities). It is 

I(A;B) = H(B)-H(B\A) = l-H(P e ) 

= l + P e logP e + (l-P e )log(l-P e ) 

= J[2P e log(2P e )+2(l-P e )log(2(l-P e ))l , (1.6) 
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sometimes denoted as h(P e )- 

For a given channel, the optimal mutual information (over all possible input 
probabilities) is called the channel capacity. The channel capacity C is a measure 
of the minimal distortion caused by the channel. For a binary channel C < 1. 
The 'Channel Coding Theorem' states that it is possible to derive an error-free 



code using a non-perfect channel |93], [I]]: for any positive e, we can choose an 
integer m and N vectors, iV < 2 mC , of length m (to be used as code words), such 
that all code words can be distinguished with error probability smaller than e. 
Another important channel is the Binary Erasure Channel (BEC) which is 
actually not a binary channel since its output contains, in addition to '0' and '1' 
also the letter '?' which stands for an inconclusive result. This channel intro- 
duces no error but the output of either inputs is inconclusive with probability 
P? . Channel capacity is derived with equal input probabilities and is calculated 
using eq.(O), (O) and (O) to be 



/ = H{A)-H{A\B) = l + y £P{b j ) y £P{a i \b j )logP{a i \b j ) 

3 i 

= 1-P? • (1.7) 

Note that the error probability P e and the probability P? (of an inconclusive 
result) have a different weight in their contribution to the mutual information. 

1.2 Quantum Information 

Contrary to a classical state, a quantum state cannot be identified unless addi- 
tional information is provided. Suppose that a spin measuring device is aligned 
in the z direction, so that it can identify the spin of an electron unambiguously 
if it is prepared along the z direction. An electron with some arbitrary (pure) 
spin state, say 

|V) = a|0>+/3|l) (1.8) 

(with \a\ 2 + \j3\ 2 = 1), will yield a result '0' (electron went up in a measuring 
device) or '1' (electron went down in that measuring device), unpredictably. 
The only clue that the state was as stated is that the probability for each result 
can be calculated. These probabilities are \a\ 2 for the result '0' and \{3\ 2 for the 
result '1'. Only if the physical state is taken from a set of orthogonal states in 
a known basis can it be identified in one measurement as in the classical case. 
The n letters of a quantum communication channel can be any different (not 
necessarily orthogonal nor pure) quantum states p\ . . . p n on an N- dimensional 
Hilbert space TCn- The mutual information of such a channel is a function not 
only of the input probabilities, but also of the choice of measurement performed 
by the receiver. Even in case of two orthogonal states, the receiver may select a 
bad choice of measurement direction which will tell him nothing. Therefore, one 
of the main questions is how to maximize the mutual information. For given 
signals and given input probabilities of the source, that is, for a given density 
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matrix 

n 

P = Y.PiPii ( L9 ) 

i=l 

what is the optimal measurement, and what is the mutual information in this 
case (called accessible mutual information)? In classical information theory, the 
only parameter controlled by the legitimate users is the input probabilities: op- 
timizing the mutual information over all possible input probabilities yield the 
"channel capacity" . In quantum information theory, the users control both the 
input probabilities and the measurement, and optimizing both to maximize the 
mutual information yields the channel capacity. We usually deal with given 
(and equal) input probabilities, and care only about the accessible mutual in- 
formation and not about the channel capacity 

The issue of finding the accessible information is frequently considered in 
the literature. One way to attack this problem is to find upper [Q and lower 
[p^l bounds on this information where the entropy of a quantum system, 

S = Tr (plogp) - ]TTr ( Pi \og Pl ) (1.10) 

i 

serves as the upper bound. Another way is to investigate and solve some special 



cases (subclasses) ]69], |34], ^] or concrete examples |34], |65|. Levitin |jjj dis- 
cussed two density matrices with equal determinants in 2-dimensional Hilbert 
space, and Braunstein and Caves |25[ considered density matrices which are 
close to each other. Various cases of pure states are also solved; Kholevo [p5 



and Davies [34| presented examples (with n > N) where the optimal mutual in- 
formation is derived with a non-standard measurement (i.e. non von Neumann 
measurements) since non-standard measurements |JT| can result in more than 
N results. On the other hand, it seems |j9) (but has not been proven) that if 
the Hilbert space spanned by n pure states is n-dimensional, the measurement 
which optimizes mutual information is a standard (projection) measurement. 
With some additional conditions, it probably holds for density matrices as well. 
Let us consider the simple case of two non-orthogonal pure states in Ti.2- A 
generalization of this to Hn is trivial since two pure states always span some 
2-dimensional subspace of 1~Ln- Suppose that the sender of the information, 
Alice, emits particles in one of the two non-orthogonal states |u) and |v), which 
represent bits and 1, respectively (the state of each particle is known to Alice). 
The states are sent with equal probabilities. Since these two states are not 
orthogonal, the receiver, Bob, cannot identify with certainty the state of a given 
photon. By a suitable choice of basis, the two non-orthogonal states |u) and |v) 
can be written as 

\u)=( C ° Sa ) and |v)=f C ° Sa V (1.11) 

ysma/ y— sin ay 

where < a < 45°. The angle between the two states is 2a. Note that the 
overlap between the two states is 

C = (u|v) = cos 2 a — sin 2 a = cos 2a . (1-12) 
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A standard measurement in an orthogonal basis symmetric to the two states op- 
timizes |69[] the mutual information; it is analogous to a BSC. This measurement 



introduces an error 



^ 9/ 71 " . 1 — sin 2a ,_ _„. 

P e = sin 2 (- - a) = , (1.13) 



ll6IlC6 

I BSC = l-H(P e )=I 2 (P e ). (1.14) 

Although a standard measurement is optimal in this case a non standard 



measurement |)0| may be better for certain purposes. The receiver can build a 
device which gives a definite answer in a fraction of the cases, and an inconclusive 
answer otherwise. A measurement of this type (with a perfect channel) creates 
an analogy to the BEC. It lets the receiver derive the optimal deterministic 
results. It is useful if the receiver is permitted to use a subset of selected bits 
and throw undesired result. In such a case, a measurement which optimizes the 
mutual information regarding the selected bits is preferable to the one which 
optimizes the average mutual information regarding all bits. A simple way to 
perform a deterministic measurement is to perform a standard measurement in 
the basis of one of the vectors. We define two vectors, 

\u')=(- Shia ) and W)=( Sina ), (1.15) 

y cos a J \cosaj 

which are orthogonal to |u) and |v) respectively. Suppose Bob measured in the 
|u) |u') basis: if the result is |u') which is orthogonal to |u), it must have been the 
other state |v) prior to the measurement; if the result is |u), it is inconclusive, 
since it could be either of the two possibilities prior to the measurement. 

The above can also be described in terms of non standard measurements, a 
description which is sometimes more appropriate for such analysis. The gener- 
alization of the standard projection measurement is called a positive operator 
valued measure (POVM) |H], |5l], |87|, |56fl . A POVM is a set of positive operators 



A\ . . . Ak which sum up to the unit matrix 1. Each operator corresponds to 
a possible outcome of the measurement. The probability that this generalized 
quantum measurement yields the /z'th element of the POVM, if the system was 
prepared in a pure state ij), is (i^IA^i/j) . More generally, for a preparation rep- 
resented by a density matrix p, this probability is Tr {pA^) . Contrary to the 
two positive operators which define a standard (projection) measurement, the 
operators which build up the POVM do not have to fulfill the condition that 
AiAj = for i j^ j, nor that AiA t = A t . 

To derive the optimal POVM in our case, we use the vectors |u'), |v') and a 
third vector 

|w)=Q, (1.16) 

equidistant from |u) and |v). It is easy to verify that the three positive operators 

A, = |u')(u'|/(l + C), A u = |v')(v'|/(l + C), A w = 2C |w)(w|/(l + C), 

(1.17) 
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(where C = cos 2a) sum up to the unit matrix B, and that A u and A v are 
maximal (increasing them further will violate the conditions for a POVM). A 
quantum test yielding A v rules out the initial state u which is orthogonal to it. 
The same is true for A u while A w yields an inconclusive result. The probability 
of an inconclusive result is 

(u|A,|u) = <v|A w |v> = C, (1.18) 

hence, 

I BEC = 1-C. (1.19) 

It is always possible pTj to extend the Hilbert space of states, Ti, in which 



this POVM is defined, in such a way that there exists, in the extended space, JC, 
a set of orthogonal projection operators, P M , summing up to the unit operator, 
and such that each one of the A^ in Eq. (1.19) is the projection of one of these 
P^ from K, to 7i. This is Neumark's theorem P6| . The physical interpretation 



of this theorem is that the extended space /C corresponds to a combination of 
the system to be measured with another system, called ancilla, prepared in a 



known state |6(], |8~7fl 



Another POVM, less efficient but simpler to realize than the above one, is 
the one we described earlier (a standard measurement in one of the basis) . This 
POVM is made of the positive operators: 

A, = (|u')(u'|)/2, A u = (|v')(v'|)/2, A w = (|u)(u| + |v)(v|)/2. (1.20) 

In this case, the ancilla merely registers which basis was used. 

The optimal mutual information for the two non-orthogonal pure states is 
derived by a standard projection measurement. The optimal basis is an orthog- 
onal basis symmetric to the two states[B3, ITDJ. An unproven claim of Levitin 



is that the optimal measurement is a standard measurement also for the case 
of two density matrices in 7i 2 - Levitin finds the accessible information for the 
simple case of two density matrices with equal determinant and input proba- 
bilities, where, again, the optimal basis is symmetric. Exact solutions for more 
complicated cases are not known. 

1.3 Classical Cryptography 

The art of cryptography is almost as old as wars are. First, the transmission 
of a secret message was done by trusted messengers. Then, people started to 
use substitution codes which 'prevented' the enemy from reading the messages 
even if he has got them. In this cryptographic method each letter is replaced by 
another letter using some secret permutation, whose choice is chosen from all 
the 26! possible permutations. The permutation must be known to the receiver, 
thus the sender and the receiver must share some secret data (a key) in advance. 
However, statistical properties of the language can be used to crack such codes. 
More recently (16th century), a new technique was replacing the substitution 
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codes. In this technique, the data (which for our purposes is always represented 
by a string of bits) is divided into strings of equal length k, and each string 
is combined (say, by a bitwise XOR operation) with a random key of length 
k known to the sender and the receiver. The combined data is sent through 
the communication channel. The usage of a random key reduces the statistical 
characteristics, since a letter is not always replaced by the same letter. The one 
time pad version of the key encoding (also called Vernam cipher), where the 
random key K is as long as the message M, was invented at the beginning of 
this century. In this encoding the i'th bit of the message is XORed with the 
i'th bit of the key to yield the z'th bit of the encoded message C, Ci = Mi® Ki 
(so that Ci is zero if Ki = Mi and one otherwise). For example, 

M 001110 101011 100101 001001 110111 

K 100010 111010 010100 001101 011010 . (1.21) 

C 101100 010001 110001 000100 101101 

This cipher cannot be broken at all since the key randomizes the message com- 
pletely. It is easy to see that knowing the transferred message C = M@K gives 
no information about M to an eavesdropper. This is formally proven using 
information theory; The eavesdropper's information is not increased since the 
probability of guessing the message M is independent of C: P(M\C) = P(M). 

The safety of the transmission depends on the safety of the key, which has 
to be uniformly random, secret and shared only by the legitimate users. More- 
over, safety can be guaranteed only if the key is used only once. The problem 
is therefore how to distribute the random key between users in a secure way. 
Classically, the only possibility is either through personal meetings, or through 
trusted couriers. Therefore, one time pads are very expensive, and are imprac- 
tical for many applications. 

Most practical cryptographic systems nowadays rely on different principles, 
i.e., computational security. This means that the system can be broken in prin- 
ciple, but that the computation time required to do so is too long to pose a real 
threat. Unfortunately, none of the existing schemes is proven to be computation- 
ally secure, and they rely on various computational assumptions. On one hand, 
they can be adjusted to yield any desired level of security once these assump- 
tions will be proven. On the other hand, the existing schemes might be broken 
in the future due to technological progress (faster computers), mathematical 
advances (faster algorithms or future theoretical progress in computation the- 
ory), or new type of computers (such as quantum computers) which are not 
equivalent to the standard computers. 

The existing public key distribution schemes are based on the very reason- 
able (but unproven) complexity assumption that there are problems which can 
be solved in non-deterministic polynomial time but cannot be solved in poly- 
nomial time (see explanation in Section |1.6| ), combined with additional less 
solid assumptions, such as that factoring large numbers is difficult. While the 
first assumption is very reasonable, the additional assumption is not. Indeed, 
some public key cryptosystems have already been broken in the past. The most 
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popular public key cryptosystems nowadays are based on the assumptions that 
the discrete logarithm and factorization problems are difficult. These assump- 
tions might be found wrong in the future. Furthermore, recent developments in 
quantum computation enable to use quantum computing devices to crack (at 
least in principle) all public key cryptosystems which are based on the discrete 
logarithm and factorization problems (and maybe many others) in polynomial 
time. 

The principle of public key cryptography was invented by Merkle |8(| and 
Diffie and Hellman j|0| . Later on, this principle had lead to the RSA crytposys- 



tem |9l| which is the basis for the most important public key schemes. The idea 
of public key cryptography is that the receiver chooses a pair of mutually inverse 
transformation E and D, one used for encryption and one for decryption. The 
sender does not need to know the receiver's secret key. Instead, the receiver 
publishes the encryption method E so that any user can use it (by calculat- 
ing C = E(M) ) to send the receiver any message. The decryption algorithm 
D remains secret, so that only the receiver can compute it and read the mes- 
sage M = D(C). As we mentioned previously, public key cryptography is not 
information-theoretic secure, but, based on some computational assumptions, it 
is designed to be computationally secure. It is based on the presumed existence 
of 'one way functions', E, which are easy to calculate while it is very difficult 
to calculate their inverse. This would still be fine if we could prove that a huge 
computing power is indeed required. Unfortunately, this is only assumed, and 
none of the suggested transformations is proven to yield a reasonable and useful 
one way function. To be useful for public key cryptography a one way function 
must have a "trapdoor" which is used by the legitimate users, and sometimes, 
the same trapdoor helps the adversary in reversing the function. 

Modern cryptography deals with many other protocols, aside from the se- 
cure transmission of messages, such as authentication, identification, electronic 
signatures, contract-signing, zero-knowledge proofs, and more. Some basic pro- 
tocols (from which more complicated protocols are built) are coin-tossing, bit 
commitment and oblivious transfer. Public key cryptography provides beauti- 
ful solutions to many such tasks, but usually these implementations suffer from 
security problems similar to those we previously explained. 

1.4 Quantum Cryptography 

A different technique for key distribution, which might provide an information- 
theoretic secure key distribution is quantum cryptography. The legitimate users 
of a quantum key distribution scheme use non-orthogonal quantum states as the 
information carriers. They cannot prevent Eve from listening to their informa- 
tion exchange, but due to the "no-cloning" principle they will notice if she does, 
and in such a case, they will not use the non-secret information. The no-cloning 
principle assures us that any eavesdropping attempt induces noise. This noise 
can be detected by Alice and Bob during the second stage of the transmission, 
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which includes discussion over a classical channel. 

Let us present the no-cloning principle in more details. The "no-cloning 
theorem" tells us that a single quanta cannot be cloned [|107| , |39[| : Assuming 



that (any) quantum state can be cloned contradicts the unitarity of quantum 
mechanics. Let u and v be two non-orthogonal (and non-identical) quantum 
states, let A be the initial state of an auxiliary system used for the cloning 
process, and let U be a general unitary transformation. A cloning process 
which duplicates both states is |86| : 



|A>|u> — tf(|A)|u» = |B u )|u)|u) 

|A)|v> — l/(|A)|v» = |B v )|v)|v) (1.22) 

with all states normalized. This process is impossible since unitarity implies 
(u|v)(B u |B v ) = 1 (note that the states B live in a smaller dimensional Hilbert 
space than A). Moreover, even a less ambitious cloning process 

|A)|u> — l/(|A>|u» = |A u )|u) 

|A)|v> — ,C/(|A>|v» = |A v )|v), (1.23) 

(with \A V ) t^ \A U )) is impossible; In this process one attempts to gain an imprint 
of the received state (|u) or |v)), without disturbing the original. Unitarity 
implies (A U |A V ) = 1, meaning that no information at all can be gain on the 



states while keeping them unchanged [11]. There is no duplicating attempt here 



and we adopt Peres' suggestion to name this "an imprint process" . Thus the 
second version of "no cloning" is referred to as the "no clean imprint" theorem: 
one cannot get an imprint of a quantum state without dirtying the origin. 

In quantum cryptography Alice and Bob use a quantum channel to transmit 
the non-orthogonal quantum states. Any attempt by Eve to learn anything 
about these states induces noise. The information transmitted in a quantum 
channel may be modified, hence Alice and Bob use also, in addition to the 
quantum channel, an unjammable classical channel which is not secured against 
eavesdropping. The quantum channel is used for the distribution of the secret 
key, while the classical channel is used in particular to verify that there are no 
errors (hence no eavesdropping), and later on, to send the encoded message. In 
principle, this is sufficient to ensure the safety of the transmission: Alice and 
Bob exchange a larger string than required for the key and use the extra part 
to test for eavesdropping. If they find no errors the channel is secure hence also 
the transmitted key. This can be verified to any degree of safety by checking 
a larger fraction of the bits. If they do find errors they know that Eve was 
listening. 

Unfortunately, perfect quantum channels do not exist and Alice and Bob 
may find errors even if no eavesdropper is listening. As a result, a much more 
complicated protocol is required, and the eavesdropping analysis also becomes 
much more complicated. At first it seemed that quantum key distribution can 
still be secure in this case, but it was recently understood that security in noisy 
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channels (and devices) is not guaranteed, if Eve is equipped with a quantum 
memory! When we use the terms "secure" or "secret" in the rest of the work 
we refer to being information-theoretic secure (unless stated otherwise). 

Key distribution is only one of the implementations of quantum cryptog- 
raphy. Many other tasks (and their implementations) have been considered in 
the literature, based on the four-state scheme. We shall also discuss two tasks 
which have been the subject of very interesting works in quantum cryptography: 
oblivious transfer and bit commitment. 

1.4.1 The Four-State Scheme and a Protocol for Quan- 
tum Key Distribution 

The first quantum key distribution scheme is the Bennett-Brassard (BB84) 
scheme || which we call the four-state scheme. We describe it using the ter- 
minology of spin 1/2 particles, but it can use any two-level system. A classical 
two-level system, such as a bistable device, can only be found in one of the two 
possible states, hence it encodes one bit. In contrast, a quantum two- level sys- 
tem can be prepared in any coherent superposition of the two basis states, which 



creates a much richer structure. Such a system is now known as a "qubit" |)2 
(i.e. quantum bit). For each qubit, Alice chooses at random whether to prepare 
her state along the z or the x axis, i.e., in one of the two eigenstates of either 
S z or S x . This state, denoted by: | f ), 1 1), | <— ) or | — >) is then sent to Bob. It 
is agreed that the two states | f ) and | <— -) stand for bit value '0', and the other 
two states, | J.) and | — >) stand for '1'. Bob chooses, also at random, whether 
to measure S z or S x . When his measurement is along the same axis as Alice's 
preparation (e.g., they both use S z ), the measured value should be the same as 
hers, whereas when they use conjugate axes, there is no correlation between his 
result and Alice's original choice. In addition to the quantum channel, the legit- 
imate users also use a classical channel as previously explained. By discussing 
over this channel Alice and Bob agree to discard all the instances where they did 
not use the same axes. The result should be two strings of perfectly correlated 
bits. These two strings shall be identical in case no natural noise occurs and 
no eavesdropper interferes. We shall call this resulting string the raw data. As 
the choice of axis used by Alice is unknown to Eve, any interaction by her will 
unavoidably modify the transmission and introduce some errors. 

In practice however, the transmission will never be perfect and there will 
be some errors, even in the absence of an eavesdropper. Alice and Bob use the 
classical channel to compare some portion of their data and calculate the error 
rate. They decide about some permitted error rate, P e , which they accept, and 
determine this error rate according to the properties of the channel and their 
devices. Eve could take advantage of that, and attack some of the bits to gain 
some information, as long as the error rate she induces, p e , plus the natural 
errors, do not exceed the permitted error rate. For all further discussions we 
assume that Eve is powerful enough to replace the channel by a perfect channel 
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so she can induce as many errors as accepted by the legitimate users p e ~ P e (or 
more precisely - a little less): Eve can detect the particles very close to Alice's 
cite (where not many channel errors are yet induced) and release her particles 
very close to Bob's cite. 

Assume Alice and Bob used the same basis. When Eve eavesdrops on a 
fraction rj of the transmissions, performing a standard measurement in one of 
the bases (as Bob does), the error rate created is p e = rj/4: when Eve uses 
the correct basis, she does not introduce any error, while she creates a 50% 
error rate when she uses the wrong basis. Eve knows the permitted error rate 
(agreed using the classical channel), thus she chooses 77 = 4P e . The average 
mutual information she obtains is rj/2: she has total information when she 
used the correct basis, and none when she used the wrong one. Note that the 
scheme is completely symmetric, so that Eve shares the same information with 
Alice and with Bob. Therefore, we can write the mutual information shared 
by Alice and Eve and shared by Eve and Bob as a function of the error rate: 
lAE(Pe) — lEB^Pe) = 2P e . More complicate attacks are discussed in Chapter [|. 

As long as P e is not too high, Alice and Bob might be able to use classical 
information processing techniques, such as error correction and privacy ampli- 
fication H 13, H, to obtain a reliable and secure final key. It is called reliable 



if they succeed to reduce the error rate to zero, and it is called secure if they 
succeed to reduce the information obtained by Eve to zero as well (by "zero" 
we mean close to zero as they wish). Both techniques are based on the use of 
parity bits of long strings where the parity of a string is zero if it contains an 
even number of l's and the parity is one if the string contains an odd number 
of l's. For a two-bit string, this is exactly the XOR of the two bits. 

The simplest error-correction code is the repetition code from one bit to 
three bits: is encoded as 000 and 1 as 111. It is not efficient (since the amount 
of transmissions is increased by a factor of three) and it can correct only one 
error in the three bits; and if two errors occur the "corrected" final bit is wrong. 
This code uses two additional bits to correct a possible error in one bit. A 
more efficient code J73J is the Hamming code H3 which uses three parity bits to 
correct one error in four bits: Alice add to her four bits three parity bits so 16 
different words are written using 7 bits. Since this example is explicitly used in 
Chapter f|, let us present it in more details. The words are easily calculated by 
taking the fifth bit to be the parity of bits 1, 2, and 3; the sixth bit to be the 
parity of bits 1, 2, and 4; and the seventh bit to be the parity of bits 2, 3, and 
4. For instance: 



1.24) 



1111 111 

Let us call these seven-bit words Wi where i goes from 1 to 16. It can be easily 
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checked (an also proven) that any two words differ by at least three bits, thus 
any single error can be corrected. (We say that any two words are at a Hamming 
distance of at least three). When Alice sends a word W{ and Bob receives it with 
a single error he can correct it and re-derive w%. In practice Alice will send Bob 
seven random bits. If the seven-bit word is in the above set, she (later on) sends 
000. If it is 0000 001 or any word which is the bitwise XOR of w { with 0000 001 
Alice sends (later on) the string 001. If it is any word which is the bitwise XOR 
of Wi with 0000 010 Alice sends the string 010, etc. Note that Alice actually 
sends the parity bits of (1, 2, 3, 5); (1, 2, 4, 6); (2, 3, 4, 7). In this case we say that 
Alice sends the parities of the parity substrings (1110100; 1101010; 0111001). 
Doing so she also tells the parities of all their linear combinations, such as 
1110100 © 1101010 = 0011110. This Hamming code has generalizations to 
codes H r of length 2 r — 1 and r parity bits, and generalizations to BCH codes 



which correct more than one error [73 



Assume that Eve had no knowledge on their string apart of the error- 
correction data. After performing that type of error correction Alice and Bob 
remain with a corrected word of the same length (e.g., of length of seven bits in 
the above example), and Eve knows that it is taken from a smaller set of words 
(16 words, in this example). Alternatively, they can distill a shorter common 
string (of length four, in the above example), which is completely unknown to 
Eve (simply by keeping only the four first bits in the above example). 

In reality, Eve has both the error-correction data, and some data she gained 
by eavesdropping on the transmitted particles. Alice and Bob perform a privacy 
amplification technique to reduce Eve's information to be as small as they wish. 
The simplest privacy amplification uses the parity bit of a string as the secret 
bit. The analysis of Eve's information could be very complicated. Let us start 
from the simplest case. In case the eavesdropper does not know one (or more) 
bit(s) of the string, she does not have any information on the parity bit. In other 
simple cases Eve has either full information or zero information on each bit, and 
we can calculate the probability P(n) that Eve knows all the bits thus we can 
calculate her average mutual information / = l[P(n)] + 0[1 — P(n)] = P(n). 
If P(n) is exponentially small with n we say that the final bit is exponentially 
secure^. In general, the situation is more complicated, and Eve's information on 
each bit is neither zero nor one. When Eve has some probabilistic information 
on the bits, her information on the parity bit is not a simple function as in 
the example above. Analysis of the privacy amplification in such cases were 
done in [|S], [7T| using the concept of collision entropy. Alternatively, one could 
calculate the probability that Eve guesses the parity bit correctly. When privacy 
amplification is done after error correction, its analysis is even more complicated 
since Eve has both the information on the bits and the error-correction data. 
Furthermore, we might wish to obtain more than one final bit, so that the parity 



4 When Eve has a total information which is much smaller than one bit, the key is already 
information-theoretic secure. An exponential security where / « 2~ n is much better than 
security with / s=s 1/n. 
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of the whole string is not a good choice, and the final key is usually constructed 
from parities of several substrings of length of about half the string. 

Fortunately, for particular symmetric cases, where Eve has the same error 
probability for each bit, the analysis of privacy amplification is still possible. 

Let us return to the key distribution scheme: All these operations, error 
estimation, error correction and privacy amplification, waste many bits (say, I). 
In order to remain with a final key of L bits Alice should send V > 2(L + /) 
qubits (where the factor 2 is due to the two bases). In more details, Alice 
and Bob start with L' qubits, compare basis, and use some bits (of the raw 
data) to estimate P e . As a result, n bits remain, from which about P e n are 
erroneous. Alice and Bob randomize the order of the bits and correct the errors 



using an appropriate error-correction code |73| . This process generates parity 
bits which Alice sends to Bob (using the classical channel), who uses them to 
obtain an n'-bit string (n' could be smaller than n) identical to Alice's, up to 
some very small error probability. By that time Eve has both the information 
she gained in her measurements, and the additional information of the error- 
correction data. Alice and Bob amplify the security of the final key by using 
privacy amplification: by choosing some parity bits of substrings to be the final 
key. Both the information available to Eve on the final key, and the probability 
Pf of having error in the final string must be close to zero as much as desired by 
Alice and Bob. Various eavesdropping techniques, and the efficiency of privacy 
amplification against them, are discussed in details in the next chapters. 

Another fact which could be useful to Eve is that some of the transmitted 
particles do not reach Bob. The easiest way to deal with them is to consider 
them as errors (but this might affect the practicality of the scheme). 

By the time we started this work, it was assumed that the privacy ampli- 



fication of |L3| and its extension in ||, indeed provide the ultimate security. 
Only after intensive discussions with Charles Bennett, Bruno Huttner, Dominic 
Mayers and Asher Peres, (initiated in Torino, 1994, at the ISI conference), it 
became clear to us that privacy amplification might not work against a "quan- 
tum" eavesdropper equipped with a quantum memory, and the possibility to do 
any unitary transformation on the qubits. The security problem is explained 
in Chapter |2|, together with our suggestion for a way to approach the security 
problem. We develop it further in Chapters |3| and (|, providing strong evidence 
that quantum key distribution is secure, even against a "quantum eavesdrop- 
per" equipped with any possible devices, and restricted only by the rules of 
quantum mechanics. 

Let us review other schemes for quantum key distribution, and concentrate 
only on the parts which are different from the above scheme. 

1.4.2 The EPR Scheme 



The second basic quantum key distribution scheme is based on EPR |E| corre 



lations. It was suggested by Deutsch [RH] , formalized by Ekert MM and modified 



by Bennett, Brassard and Mermin |ilf . We describe here the modified version 
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which we call the EPR scheme. In this scheme Alice creates pairs of spin 1/2 
particles in the singlet state, and sends one particle from each pair to Bob. 
When the two particles are measured separately the results obtained for them 
are correlated. For example, if they are measured along the same axis, the re- 
sults are opposite, regardless of the axis. Alice and Bob use the same sets of 
axes as for the four-state scheme, say S z and S x , and keep the results only when 
they used the same axis. It is noteworthy that, in the EPR scheme, the pairs 
could be created by any other party, including Eve herself. 

Let us discuss this point in more details. The singlet state may be written 
in infinitely many ways. We write it as: 

* { - ] = Jf(IUW-IUM) 




A~^B 



>-|-M«-b», (1-25) 



where the equality follows from | — ►) = -4=(| f ) + | J,)) and | <— ) = 4=(| y) — | J,)) , 
and where the subscripts 'A' and 'B' stand for Alice and for Bob. When Alice 
and Bob use the same axis, either z or x, we use the first or the second equation 
respectively, to see that their measurements always yield opposite results. The 
singlet state is the only state with this property. Therefore, as Alice and Bob 
may measure either of these two options, any deviation from the protocol by 
Eve (i.e., any attempt to create another state), will induce errors. So Eve must 
create the required singlet state, from which she cannot extract any information 



about Alice's and Bob's measurement (see [[0], |TT[ for more details). 



1.4.3 The Two-State Scheme 

The last elementary scheme is the two-state scheme 0. In this scheme, Alice 
chooses one of two non-orthogonal states, 



or 0i = T Q (1-26) 





and sends it to Bob to encode and 1 respectively. As these states are not 
orthogonal, there is no way for Bob to decode them deterministically. 

Bob must not use the optimal projection measurements (in the symmetric 
basis) because then the protocol is unsafe: Eve also measures in that basis and 
sends Bob photons (according to her results) in the orthogonal symmetric basis; 
hence her string and his string are the same. Bob expects a certain amount of 
errors which is exactly the amount of errors in Eve's string, Therefore Eve 
introduces no additional errors to what Bob would expect. 

Bob must obtain deterministic information on Alice's state in order to no- 
tice the presence of Eve. We have already seen how to analyze this system in 



Section |1.2| , and we saw that partial deterministic information is obtained by 
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means of a POVM. When the best possible POVM (|1.17|) is used, Bob's mutual 
information is equal to 1 — P? = 1 — cos 29 where cos 29 is the overlap of the 
two states. When Bob uses the optimal POVM, Eve cannot avoid introducing 
errors. The safety of the protocol against eavesdropping is ensured by the fact 
that Eve cannot always get deterministic results either. Therefore, in many 
instances where she intercepts the transmission she will have to guess Alice's 
choice. If the channel is very lossy, Eve could take advantage of it and learn all 
information: she performs the optimal deterministic attack, and throws away 
the bits whenever she got an inconclusive result. Thus, in order to use this 
scheme we must restrict also the losses in addition to the restriction on the 
error rate, or alternatively use a reference signal |4[]. To simplify further dis- 
cussion of this scheme we redefine P e to include the losses, thus it is better for 
Eve to send something (which might not be counted as error) than to keep the 
particle. 

In our further discussions we consider a scheme in which Bob does not per- 
form the optimal POVM. Instead, Bob performs a less optimal test which also 
provides him with a conclusive or inconclusive result. This test was described 
in Section [L2| by a less efficient POVM (|1 . 20| ) , but it can also be described us- 



ing ordinary measurements: Bob performs one of two possible tests with equal 
probability. In half the cases he tests whether a specific particle is in a state 0o 
or a state orthogonal to it <fio = (J^se)' A resu h 0o is treated as inconclusive 
(since it could also be 0i sent by Alice), but a result O ' is always identified as 
<pi. In the other half he tests whether a specific particle is in a state 0i or a 
state orthogonal to it <pi = (™ A; A result 0i is treated as inconclusive (since 

it could also be O sen t by Alice), but a result 4>i is always identified as O - 
All the conclusive results are the raw data. Note that Bob can get a correct 
conclusive result only if he chooses a basis which does not contain Alice's state 
(in contrast to the situation in the four-state scheme). 

1.4.4 Weak Coherent Pulses 

As single photons are difficult to produce experimentally, a "slight" modifica- 
tion of the four-state scheme, using weak pulses of coherent light instead of 



single photons, was the first one to be implemented in practice |5|, |100| , |83 
Such schemes are sensitive to losses in the channel and to the existence of two 
photons in a pulse. In an earlier work [58[, not included in this thesis, we 



focused on quantum cryptographic schemes implemented with weak pulses of 
coherent light. We compared the safety of the four-state scheme and the two- 
state scheme, and presented a new system, which is a symbiosis of both, and for 
which the safety can be significantly increased. In that work we also provided a 
thorough analysis of a lossy transmission line. A recent work of Yuen |110|] sug- 



gests that most of the practical schemes implemented in laboratories based on 
weak coherent pulses are not "slight" modifications since they use a completely 
different Hilbert space. Yuen actually shows that these implemented schemes 
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are insecure due to that fact. 

In this thesis we do not deal with weak coherent pulses. Whenever we discuss 
the four-state or the two-state schemes we refer to the schemes as previously 
described, which are using two level systems. 

1.4.5 Quantum Bit Commitment and Oblivious Transfer 

Let us consider two other possible applications of quantum cryptography, Bit 
Commitment (BC) and Oblivious Transfer (OT). These are defined as follows: 

BC: Assume Alice has a bit b in mind. She would like to be committed to this 
bit towards Bob, in a way that she cannot change it, but yet, Bob will have 
no information on that bit. In a bit commitment scheme Alice provides 
Bob some evidence through a procedure commit(b) which tells him that 
she is committed while following these two requirements. At a later time 
Alice can reveal b to Bob through another procedure unveil(b), which 
provides Bob, in addition to the value of the bit, with some information 
from which he can make sure she did not change the bit she was committed 
to. 



OT [|106| , |47| : Alice has two bits in mind. She sends them to Bob in a way 



that he receives only one and knows nothing on the other bit. Alice does 
not know and can have no control on whether Bob gets the first or the 
second bit. 



OT |P0 |: Assume Alice has a bit b in mind. She would like to transmit this 
bit to Bob so that he receives this bit with probability 50%. Bob knows 
whether he received the bit or not, but Alice must be oblivious to this. 
Neither of them can control the probability of reception. 

In the BC protocol, a cheating Alice would like to change her commitment 
at the unveil stage, and a cheating Bob would like to learn the bit from her 
commitment. In the LJ OT a cheating Alice would like to control or to know 
which bit Bob received, and a cheating Bob would like to learn more than one 
bit. In the OT protocols a cheating Alice would like to control the probability 
that Bob receive the bit in OT or to learn whether Bob got the bit or not, and 
a cheating Bob would like to learn the bit with probability better than 50%. 

The two versions of OT are equivalent [[3^] : OT is derived from LJ OT by 

considering only one bit of the two. A protocol for (J OT is derived from OT 
as follows: Alice and Bob perform OT several times. Bob arranges the bits in 
two strings — a string of bits he knows and a string of bits he doesn't; He tells 
Alice the groups but not which group is known to him. Then, the parity bits of 
each string are used for (V\ OT. 

BC can be derived easily from LJ OT: Suppose Alice sends a string of 2n 
bits to Bob such that each pair of bits &2i, &2i+i are transmitted to Bob via 
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LJ OT scheme. Alice wants to commit to a bit b, so she chooses the pairs of 
bits to fulfill b = &2« © &2«+i- Bob knows nothing on the value of b. Procedure 
unveil(b) includes the value of b and the value of all the 2n bits. If Alice wants 
to change the value of b she needs to change one bit in each pair. Unless Bob 
has accidentally received (in commit(b) ) only the bits she does not change, she 
will be caught. Her chance to cheat successfully is 2~ n , so that this procedure 
provides exponential security. It is generally believed that OT cannot be derived 
from BC 

The best protocols which are available today for quantum oblivious transfer 
and quantum bit commitment are severely influenced by the possibility to use 
quantum memories. On one hand, we do not wish to explain these complicated 
protocols in details since they are not relevant for our work. On the other hand, 
their sensitivity to the existence of quantum memory is remarkable, and we 
wish to show it. As a compromise, we present two toy-models which exhibit the 
same sensitivity to quantum memories. 

The four-state protocol for key distribution can be modified to produce a 
naive LJ OT protocol [Q: Alice sends particles as in the four-state scheme and 
Bob measures them in one of the two bases. If he measures in the same basis 
Alice has used he gets a bit, hence he receives each bit with probability 50%. 
Alice then tells him the basis she used for each photon, so he knows which bits 
he has received as required. Bob organizes the bits in two sets, one set for those 
he identified and one for those he didn't. He tells Alice the members of each 
set but not which is the identified set. Alice sends him error-correction data for 
the two sets so that he can correct one of the strings only, but not the other. 
Finally Alice uses the parity bit of one of the strings to transmit him her secret 
bit. 

A naive bit commitment scheme based on using the four-state scheme can 
also be easily implemented by choosing the basis as representing the secret bit. 
Alice sends to Bob the bit '0' using either | — >) or | <—), and '1' using | f) or 
||). In this case, of course, Alice does not tell Bob anything at the commit(b) 
stage. In the unveil stage she tells him both the bit and the state she used. 
Bob cannot learn the bit since both possible values are described by the same 
density matrix 

(1/2)(| -><- | + | «-)<«- |) = (1/2)(| TXT I + I 1>U I) • (1-27) 

Alice can cheat with probability of 1/2; for instance she sends f to commit to 
'1', and in order to change her commitment she later on claims that she has 
sent <—. Thus the protocol demands that she commit to the same bit n times, 
so the probability of successful cheating is reduced to 2~ n . 

Both these protocols are insecure, since the parties can cheat using quantum 
memories as we explain below. 
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1.5 Quantum Memory 

In this section we present the quantum memoryf]: its definition, basic use, and 
its possible implementations. 

1.5.1 Defining a Quantum Memory 

A classical bit or a classical string of bits can be kept in a memory, where 
their value is preserved for a long time. The main physical feature required for 
keeping a bit is the huge redundancy used for the two possible bit values. 

When it comes to the quantum world things become less obvious, but still 
we can provide an appropriate definition: 

• A quantum memory is a device where a quantum state can be kept for a 
long time and be fetched when desired with excellent fidelity. 

Clearly, both "a long time" and "excellent fidelity" are determined by the de- 
sired task for which the state is kept. 

A quantum state develops in time according to some unitary operation, and 
is exposed to interactions with the environment. If redundancy is added in a 
simple way as in the classical case above, we might lose all the advantages of 
using quantum states. Thus, it is not easy to keep a quantum state unchanged 
for a long time. The same problem appears when we want to transmit a state 
over a long distance. However, with existing technology, one can talk about 
transmissions of quantum states (e.g., sending photons' polarization states to 
a distance of more than 10 kilometers), while it does not make much sense to 
discuss memories where a state can be kept for 10~ 3 seconds (which is much 
shorter than a phone talk). Consider a quantum bit (a two level system) in a 
state 

<*=(;); d.28) 

If it changes according to some unitary transformation to a state 

(1.29) 




we may still be able to use it if we know the transformation, but if it decoheres 
due to interactions with other systems, in a way which we cannot reverse in time, 
the state is lost. As in the case of transmission over a long distance — one can 
choose some acceptable error rate P e , and agree to work with the experimental 
system as long as the estimated error rate p e does not exceed P e . To estimate 
the error rate, one first does all effort to re-obtain the desired state (e.g., take the 
unitary transformation into consideration), and then one compares the expected 
state ip l with the obtained state p and defines the error rate as the percentage 
of failure. In theory, if we consider some irreversible change to the state (due 

5 Parts of this section are original. 
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to environment, or an eavesdropper, or any other reason), and we can calculate 
the obtained state, the error rate is 



j i 



p e = 1 - (^W 1 ) ■ (1-30) 

The definition of a quantum memory contains more that just the ability to 
preserve a quantum state for a long time. Other necessary conditions are the 
input / output abilities: One must be able to produce a known quantum state; 
One must be able to input an unknown state into the memory; One must be 
able to measure the state in some well defined basis, or furthermore, to take 
it out of the memory (without measuring it) in order to perform any unitary 
transformation on it (alone, or together with other particles). 

1.5.2 Basic Uses of a Quantum Memory 

We shall describe here only simple uses known by the time we have started this 
work. The rest of this work concentrates on other uses of quantum memory, 
which are much more advanced. While doing this work more fascinating uses 
of quantum memory were suggested by others, and we will shortly review them 
in the relevant chapters (mainly in Chapter 6). 

• Doubling the efficiency of the four-state scheme for QKD: Bob keeps the 
particles in a memory, and measures them after Alice tells him the bases. 

• Improving the EPR scheme: instead of measuring the states of their par- 
ticles, writing the results on a paper and hiding the paper, Alice and Bob 
keeps them in a quantum memory. This way they are assured that no one 
else had access to the paper, and therefore, no one else has the key. They 
perform a measurement only when they want to use the key Jl4| . 



Teleporting || a state using singlet pairs prepared in advance. 
Suggesting new schemes for quantum key distribution which relies upon 



the existence of short time quantum memory [ 16|, |52| . 



Cheating the naive LJ OT scheme presented in the previous section. Bob 
delays his measurements till after he receives the classical information 
regarding the basis used by Alice; In this case he gets full information. 

To overcome this problem, the LJ OT protocol was modified [10| to con- 
tain a step where Bob commits to the measurement he performed, thus 
he cannot avoid performing the measurement. However, this "solution" 
creates a tremendous complication to the protocol, and even worse - it 
adds an undesired dependence on the existence of secure bit commitment 
scheme! 
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Cheating the naive bit commitment scheme. Alice use photons taken from 
EPR singlet pairs, keeps one particle of a pair in a memory, and sends 
the other to Bob; she chooses the basis just right before she performs 
unveil (b); She may thus change her commitment as she wishes to |23|| . 

A better (and much more sophisticated) bit commitment was later sug- 
gested |24|], but most amazingly - it was recently broken by Mayers [T5 



due to similar (but deeply hidden) flaws! Mayers' attack is based on a 
theorem regarding the classification of quantum ensembles [Q . In terms 
relevant to quantum cryptography this theorem states that two "differ- 
ent" quantum systems (in Bob's hands) which are described by the same 
density matrix [e.g. as in eq. ( |1.27| )1 can always be created from one entan- 



gled state shared by Alice and Bob, by measurements performed at Alice's 
site. Thus, Alice can postpone the decision of whether a state comes from 
the first or the second system, and change her commitment at the unveil 
stage. The consequence to bit commitment is that, either the two density 
matrices are different and Bob can partially learn the commitment, or 
they are similar and Alice can change her commitment. 

• Breaking the classical logical chain of achieving a secure protocol by using 
secure building blocks. Thus, any protocol which is based on secure build- 
ing blocks must be also checked as a whole. As a result, the importance 
of the building blocks (such as OT and BC) is reduced. 

There is a very surprising consequence of breaking the logical chains: Due 
to the facts that (1) BC can be built upon OT and (2) secure BC probably 
does not exist J78J one could induce (by reduction) that secure OT cannot 
exist. However, secure OT might still exist, despite the fact that the BC 
protocol built upon it is insecure. 

1.5.3 Implementations 

By the time we began this work, the possibility of implementing a quantum 
memory was hardly considered. The following discussion is taken from our 



work |19fl , and was done with the help of David DiVincenzo. 

We demand the possibility to program, store and manipulate quantum bits. 
Any 2-dimensional Hilbert space system can be considered and this opens a 
variety of possible implementations. Fortunately, apart from a different timing 
requirement, the same requirements appeared recently in quantum computing, 



and are being thoroughly investigated by both theorists f36|, fy], |2|, pi]] , and 



experimentalists ]33, |103| . |32|| . The difference in the timing requirements is that 
the quantum bits in most applications of a quantum memory are subjected only 
once (or very few times) to a unitary operation of calculation, while the quantum 
bits in quantum computation are subjected to a huge number of computations; 
On the other hands, the common tasks where quantum memory is used take 
long times. As a result, the problem of decoherence is different. For quantum 
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memories we don't need to consider the switching time versus the decoherence 
time, but we must require a decoherence time on the time scales of minutes, 
days, and even years, depending on the applications. 

It may be possible to implement a working prototype of such a memory 
within a few years. Such a prototype should enable to keep quantum states 
for a few minutes (or even hours), and to perform two-bit operations on them. 
At the moment, the best candidates for combining these two operations are 
ion traps. In ion traps the quantum bits can be kept in internal degrees of 
freedom (say, spin) of the ions, and in phononic degrees of freedom of few ions 
together. It is already possible to keep quantum states in the spin of the ions 
for more than 10 minutes p2[ and in principle it is possible to keep them for 



years. These ion traps are thus good candidates for implementing quantum 
memories. Moreover, they are also among the best candidates for quantum 
manipulations, since there are ways to use the phononic degrees of freedom to 
perform two-bit operations J5I], such as the very important controlled-NOT 



gate. Barenco et al. || realized that a single quantum controlled-NOT logical 
gate would be sufficient to perform the Bell measurement, a measurement which 
appears in almost all applications of quantum memories. Thus, using ion traps 
it is possible to (partially) perform the Bell measurement, and this was shown 
both in theory [[H|] and in an experiment fl82| . Combining together the two 



experiments^ to have both long lived quantum states and the possibility to 
manipulate them will create a useful quantum memory. 

The way to establish a real working quantum memory which suits for all pur- 
poses is still long. The main obstacle is that it is currently impossible to transfer 
a quantum state from one ion trap to another. A fully operating quantum mem- 
ory must allow us to put quantum states in a register (that is, a separate ion 
trap), and pull it out to another register when we want to perform operations 
on it, together with other qubits (possibly held in other registers). Recently, the 
possibility of doing this arose from the idea of combining ion-traps (where the 
ions are well controlled) and QED-cavity together, and to use the same internal 
degrees of freedom for both [PEL [551] . We shall call this combination cavitrap for 
convenience. In QED cavity [Q the internal degrees of freedom are coupled to 



photons and not to phonons. Recently, another group [ pL 03|| has shown that it 
is possible to use polarization states of photons instead of using the |0) and |1) 
Fock states. If such photon states are used in a cavitrap, it may be possible 



to use them to transmit a quantum state from one cavitrap to another [42|. In 



some sense, this will be an implementation of the nuclear spins based "quantum 
gearbox" suggested by DiVincenzo f4lf . 

All this discussion would be considered nothing but a fantasy just few years 
ago. However, similar (and more complicated) ideas are required for using 
quantum gates in both quantum computing and quantum information, and a lot 
of effort is invested in both the theory and application of quantum gates. Also, 
quantum memory is considered more and more seriously, for various purposes, 



6 Which were done by the same group in NIST. 
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and the fantasy becomes closer to reality every year. 

1.6 Quantum Computation 

A classical computer can solve certain problems in a time which is polynomial 
with the size of the input. Such problems are called easy, and other problems, 
which are solved only in exponential time are called difficult. Public key cryp- 
tography uses one way functions with trapdoors, i.e., functions which are easy 
to compute while their inverses are difficult to compute unless some secret key 
is known. Easy problems are not useful for public key cryptography. An impor- 
tant class of problems (which are useful for public key cryptography) is those 
solvable in non-deterministic polynomial time, for which a given solution can 
be verified in polynomial time. It is well accepted that the most difficult prob- 
lems in this class are difficult to solve, although this assumption is not proven. 
Unfortunately, the popular cryptosystems are not based upon this assumption 
alone, but on much less solid assumptions. For instance, on the assumption 
that factoring large numbers and computing discrete logarithms are difficult. 

More than 20 years ago Feynman raised an important question: Can quan- 
tum devices, based on quantum principles, simulate physics faster than classical 
computers? Deutsch |35| proposed a Turing-like model for quantum computa- 



tion in 1985, called a quantum Turing machine. He constructed a universal 
quantum computer which can simulate any given quantum machine (but with a 
possible exponential slowdown). The quantum Turing machine is different from 
classical Turing machine in that, in addition to standard abilities, it can also 
get into superpositions of states. Bernstein and Vazirani []T7| constructed an 
efficient universal quantum computer which can simulate a large class of quan- 
tum Turing machines with only polynomial slowdown. Yao |108| developed a 



complexity model of quantum circuits showing that any function computable in 
polynomial time by a quantum Turing machine has a polynomial size quantum 
circuit. Quantum circuits and networks were defined by Deutsch PB[ on the 



basis of reversible classical logic ||. Yao ||108|| also developed a theory of quan- 
tum complexity which may be useful to address the question whether quantum 
devices can perform computations faster than classical Boolean devices. 

There were early attempts of solving problems on quantum computers more 



efficiently than it is possible on classical computers |T8|, |37], |97]], focusing on 
problems which are not known to be solved in polynomial time on a classical 
computer. These works were the groundwork for the recent breakthrough of 
Shor [Q. Shor succeeded to solve in polynomial time the problems of dis- 



crete logarithm and factorization on a quantum computer! As we previously 
said, these two problems are extremely important since most existing classical 
cryptosystems rely on the assumption that they are not easy (not polynomial). 
The interest in quantum cryptography also raised a lot due to the interest 
in this breakthrough. In addition, many experimentalists are now trying to 
make quantum gates in their labs, and many implementations for quantum 
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cryptography which looked as fantasy three years ago, are now very close to 
practice. 

The question of building practical quantum computers is not only a techno- 
logical problem, since decoherence and other environmental interceptions could 
limit the computing abilities very much. However, it seems that quantum error- 
correction codes |)5|, |98] and their extension to fault-tolerant quantum error 



correction |96[ can overcome the decoherence problem. This issue is still under 
thorough investigation. We discuss quantum error correction in Chapter |6] but 
we concentrate on its relevance to quantum memories and quantum cryptogra- 
phy. 

1.7 Structure of the Thesis 

Chapter 2 describes the security problem in details and our approach to it. 
Chapter 3 discusses the information on the parity bit in various cases, and 
proves that it reduces exponentially with the length of the string in the case 
relevant to eavesdropping analysis. Chapter 4 extends the analysis regarding 
the information on a parity bit to deal with error correction, and applies the 
analysis to show the security of quantum key distribution schemes against var- 
ious attacks. Chapter 5 describes a new scheme for quantum key distribution 
which is based on the use of a quantum memory. This scheme is especially 
adequate for building networks of many users. Chapter 6 discusses quantum 
error correction, quantum privacy amplification and suggests a new quantum 
privacy amplification based upon quantum error correction. It also develops the 
surprising possibility of having "quantum repeaters" . Chapter 7 provides our 
conclusions in brief. 
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Chapter 2 

On the Security of Quantum 
Key Distribution Against a 
'Quantum' Eavesdropper 



The security of quantum key distribution in noisy channels and environment 
is still an open questionF] despite the use of privacy amplification; no bound 
has yet been found on the amount of information obtained by an adversary 
equipped with any technology consistent with the rules of quantum mechanics 
(to be called a quantum eavesdropper). In particular, neither of the suggested 
schemes is proven secure against sophisticated joint attacks, which use quantum 
memories and quantum gates to attack directly the final key. Note that in 
order to make quantum key distribution a practical tool one must present a 
scheme which uses existing technology, and is proven secure against an adversary 
equipped with any technology 

The main achievement of this thesis is to develop a new approach to attack 
this problem. In this chapter we explain the security problem in more details and 
we present our approach to it. We separate the complicated security problem 
into several simpler steps. We define a class of strong attacks which we call 
collective attacks, and we conjecture that the problem of security against any 
attack can be replaced by the simpler problem of security against collective 
attacks. In the next two chapters we discuss security against collective attacks, 
providing some important security results. 

Our approach tries to prove the efficiency of privacy amplification against a 
quantum eavesdropper, by analyzing the density matrices available to her, and 
bounding the information which can be extracted from them. 

The security of quantum cryptography is a very complicated and tricky 
problem. Several security claims done in the past were found later on to contain 
loopholes. Recently, in parallel to our work, two other attempts were made to 
solve the security issue |7B|, [58|], based on different interesting approaches. The 
first one JF(J considers the efficiency of privacy amplification as we do (but 



1 But see Section 2.5. 
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without analyzing Eve's density matrices); we discuss it in the last section of 
this chapter. The other one [B8|] assumes non realistic perfect devices^ with 
perfect accuracy, hence provides only a limited security proof. Furthermore, it 
suggests a quantum privacy amplification hence is not applicable with existing 
technology. We discuss it in Chapter 6, where we suggest another quantum 
privacy amplification scheme. 

2.1 Privacy Amplification and Security Against 
Existing Technology 

We have seen that, in a realistic protocol, Eve might gain some information 
on the raw data: she obtains some information on the transmitted data, as 
long as she induces less errors than permitted^; furthermore, she obtains also 
the error-correction data, since it is transmitted via a classical channel which 
is accessible to her. Thus, the key common to Alice and Bob is insecure at 
this stage. Actually, even in an error-free channels, and even when no errors 
are found at the error-estimation stage, the error correction is still required; for 
instance, Eve could eavesdrop only on two qubits hence be unnoticed with large 
probability. 

To overcome these problems, privacy amplification techniques [pT3| , [| were 
suggested. The simplest one uses the parity bit of the full string as the secret 
bit, so that the final key contains L = 1 bits. Such techniques are designed to 
reduce Eve's information on the final key to be exponentially small with the 
length of the initial string. Currently, they are shown to work only against very 
restricted attacks. 

Eve can measure some of the particles and gain a lot of information on them, 
but this induces a lot of error. Hence, if she performs such an attack, she must 
restrict herself to attack only small portion of the particles, and thus, her in- 
formation on the parity of many bits is reduced to zero. Let us explain this 
in more details: When Eve measures only a small portion of the particles, the 
probability that no other bit will be used for creating the final key is exponen- 
tially small. If, to avoid inducing too much noise, she measures less particles 
than used for the final string her information on the parity of this string is 
zero. Alternatively, she can measure all the particles. For instance, when she 
attacks the four-state scheme and measures all particles, each particle in one 
of the bases, she gains full information if she guessed the basis correctly for all 
bits which shall be used for the final key. However, the probability of success 
is exponentially small with the length of the final key. Furthermore, the prob- 
ability that she induces less than the permitted error rate when she attacks all 



2 This is not clear from |3q| . The assumption appears on page 2819, col. 1, line 18, and it 
is never removed. 

3 We assume that the permitted error rate is reasonably small, but not extremely small 
(say, around 1%). 
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particles is exponentially small as well. Analysis of such attacks were done, for 
instance, in [B7| for the four-state scheme, and in |45| for the two-state scheme. 

Eve can do much better than measure some of the particles - - she can 
obtain information on each bit without inducing too much noise. Of course, in 
this case, she must induce only a small amount of noise on each bit. Eve can 
achieve this task by performing an incomplete measurement: She lets another 
particle interact with the particle sent by Alice, and performs a measurement 
on that additional particle. Such translucent attacks were defined in [|45| . They 
are done using quantum gates and the additional particle is called a probe. The 
analysis in ||5| considered the mutual information available to the eavesdropper 
on a single transmitted particle, and did not deal with the processes of error 
correction and privacy amplification. Fortunately, it is rather clear || that 
privacy amplification will reduce Eve's information exponentially to zero also in 
this case, hence, such an individual translucent attack is ineffective. 

Let us show in detail that privacy amplification can reduce Eve's information 
on the final key (the parity bit of the string) to be exponentially small, when 
a particular translucent attack is used. Let us consider the "translucent attack 
without entanglement" of ||45| , which is applied onto the two-state scheme, and 
which leaves Eve with probes in a pure state. It uses a two-dimensional probe in 
an initial state Lj, and transforms the states 0o and <pi (defined in Section |L4| 
in the introduction) so that 
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with '+' for 00? and '— ' for <\>\, As a result, 9' is the angle of the states received 
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with ce = cos 9 etc. 

The error rate is defined as the probability of wrong identification; The 
probability that Bob measured O = (-cose) (which is identified as 0i) when 
Alice sent (f> is 
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The connection between this induced error rate and the angle a is calculated 
using the unitarity condition |E| (preservation of the overlap) 

cos2# = cos2#'cos2a . (2.5) 

In order to analyze the effect of privacy amplification, suppose that Eve 
performs this translucent attack on all the bits (with identical transformation 
for each bit). As result, she gets n probes (for the n bits left from the raw 
data after error estimation), each in one of the two states ipo = ( Ca ) or ipi = 

\-s )■ Since she attacks all the bits, she must attack them weakly, so that p e 
and a are small. For weak attacks which cause small error rate we use the 
approximation 1/ cos 2a ~ 1 + 2a 2 + 0(a A ) in the unitarity condition, to get 
26' « arccos(cos2#[l + 2a 2 + 0(a 4 )]) « 26 -2a 2 cot 26 + (a 4 ). Thus, the error 
rate is p e = sin 2 (# — 6') « a 4 cot 2 26 + 0(a 6 ). The angle of Eve's probe satisfies 

a= (p e tan 2 26) 1/4 , (2.6) 

and from this expression we shall obtain the information on the parity bit as 
a function of the error rate. It is important to noteQ that a = OfQoe) 1 / 4 ] since 
other attacks usually give a = 0[(p e ) 1//2 ]. 

We have seen in the introduction (Section [L^) that for these two possible 
pure states of each probe, ip and ipi (called there, u and v), a standard measure- 
ment in an orthogonal basis symmetric to the two states optimizes the mutual 
information. The angle between one basis vector and these polarization state is 
j ± a. The measurement results in an error with probability 

«. = ^f^ , (2-7) 

and with the same error probability for both inputs, thus, leading to a binary 
symmetric channel (BSC). The optimal information of such a channel is I BSC = 
h(Qe), but we care only about the fact that the mean error probability is also 
optimized (minimized) by this measurement. We denote this error-probability 
by r = Q e for convenience. Let us calculate Eve's information on the parity bit 
by calculating the probability that she guesses it correctly. (Another approach 
could use the "collision entropy" on each bit [f|] to find the optimal mutual 
information on the parity bit). The probability of deriving the wrong parity bit 
is equal to the probability of having an odd number of errors on the individual 
probes 



Qt ] = E M(i -!•)"-' 




4 We shall see in Chapter that Alice and Bob can use other states (in addition to the 
two states of the protocol) which are much more sensitive to this attack, so that a ~ Pe 1 ^ 2 
for a slightly modified scheme. However, this shall become relevant only when we compare 
the quality of different possible attacks. 
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To perform the sum only over odd j's we use the formulae 

(p + g)» = £ ( U )p n ~ V and (p-g) B = f;f n W(-ffy, 

to derive 

f (™y-v = &>+«)•-&>-«)• , (2 . 8) 

j=odd V / ^ 

Assigning q = r and p = 1 — r we get 

QJ.) = f (»W - r T -' = ^^ = i - <i^ , (2.9) 

and finally 

e» = i - ^ (2.io) 

using 1 — 2r = sin 2a. The mutual information 1$ in this single-particle mea- 
surement is thus 

7 2 (Q<»>) = / 2 f I - -5^20). (2.11) 
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This is the optimal information obtained by a single particle measurement, 
performed on n particles each in either of the states ipo an d ipi, and it was 
calculated by us in [[15] . 

A lot of useless side-information is obtained by this measurement (e.g., on 
the individual bits). This fact indicates that Eve might be able to do much 
better by concentrating on deriving only useful information. This will be shown 
explicitly in Chapter || 

In case of small angle a, let us calculate the optimal information obtained 
by individual measurements. In that case, equation (|2.1Q) yields 

Qi« »\ - &f ■ (2.12) 

For small rj the logarithmic function is approximated by 

k)g(-±77) = — ^ -«-l±- n-: V , 2.13 

sv 2 /; hi 2 In 2 ' ln2 ' ' v ; 

from which the mutual information 

U^-V) = ^-H(--r,) = l + (- + r,)\og(- + r 1 ) + (--i 1 )\og(--r l ) 

2 V 2 (2.14) 
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is obtained. Using this result and assigning rj = (2ct) n /2, the information (to 
first order) obtained by the optimal single-particle measurement is 

2 (2a) 2 " (2a) 2 " 
Is ~ ^2~T~ " 1^2 ■ (2 ' 15) 
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We see that it is exponentially small with the length of the string n. This result 
is the maximal information Eve can obtain if she has n particles, each in either 
of the states ipo and ipi, and she uses single-particle attack. 

Using a = (p e tan 2 29) 1 ' 4 we finally get the information as a function of the 
error rate 

I s = o((16p e tan 2 26) n ' 2 ) . (2.16) 

2.2 Can a 'Quantum' Eavesdropper Learn the 
Key? 

Eve can do much more than an individual attack if she keeps the probes in 
a quantum memory! At a later time, she can attack the final key directly 
using both the classical information regarding the error correction and privacy 
amplification, and the quantum information contained in the quantum states of 
her probes. In such a case, she might be able to gain only useful information 
regarding the desired parity bits. Privacy amplification techniques were not 
designed to stand against such attacks, hence their efficiency against them is 
unknown. 

The most general attack allowed by the rules of quantum mechanics is the 
following: Eve lets all particles pass through a huge probe (a probe which 
lives in a very large Hilbert space) and performs transformations which create 
correlations between the state of the particles and the state of the probe. Eve 
waits till receiving all classical information (for instance: 1. the relevant bits; 2. 
the error-correction data; 3. the privacy amplification technique.) Eve measures 
the probe to obtain the optimal information on the final key using all classical 
data. Such an attack is called a coherent or a joint attack p. (We shall use the 
term joint attack in this thesis, and keep the term coherent measurement for 
describing measurements which are done in some entangled basis). Joint attacks 
are the most general attacks consistent with the rules of quantum mechanics. 
Doing several measurements in the middle can always be simulated by that 
system as well, by using measurement gates. The analysis of joint attacks is 
very complicated, and although security against them is commonly believed, 
it is yet unproven Q. For instance, it could well be that Eve would obtain 
much more information on parity bits by measuring all bits together. If that 
information is not reduced sufficiently fast with the length of the string, the 
known quantum key distribution becomes insecure! 

2.3 The Collective Attack 

In this thesis we suggest a new approach to the security problem. It started 
as a practical question: if we cannot prove security against the most general 



'° But see Section 2.5. 



40 



attack, what type of restricted security proofs can we achieve? It continued as 
a very promising direction for approaching the security problem. The results 
we present here strongly suggest that quantum key distribution is secure. We 
hope that the steps which still remain open will be soon solved as well. 
Consider the following attack which we call [[HJ the collective attack: 

1. Eve attaches a separate, uncorrected probe to each transmitted particle 
using a translucent attack. 

2. Eve keeps the probes in a quantum memory till receiving all classical data 
including error-correction and privacy amplification data. 

3. Eve performs the optimal measurement on her probes in order to learn 
the maximal information on the final key. 

The case in which Eve attaches one (large-Hilbert-space) probe to all transmit- 
ted particles is the joint attack. No specific joint attacks were yet suggested; the 
collective attack defined above is the strongest joint attack suggested so far, and 
there are good reasons to believe that it is the strongest possible joint attack. If 
this is indeed the case, then security against it establishes an ultimate security. 
In order to devise a proof of security against collective attacks we shall 
provide a solution for an example based on the "translucent attack without en- 



tanglement" of j45[, which leaves Eve with probes in a pure state, and prove 
security against it. As before we assume that this translucent attack is per- 
formed on all the bits. After throwing inconclusive results, and after estimating 
the error rate, Alice and Bob are left with n bits. As a result, Eve holds an 
n-qubit state which corresponds to Alice's string x. For simplicity, we choose 
the final key to consist of one bit, which is the parity of the n bits. Eve wants 
to distinguish between two density matrices corresponding to the two possible 
values of this parity bit. Our first aim is to calculate the optimal mutual infor- 
mation she can extract from them. A priori, all strings are equally probable and 
Eve needs to distinguish between the two density matrices describing the pari- 
ties. In the next chapter we show that the optimal information is obtained by 
a coherent measurement and not by individual measurement. We calculate this 
information and we prove that it is exponentially small. Thus, we provide the 
first proof of efficiency of privacy amplification against coherent measurements. 
In real protocols an error correction must be done. Since Eve is being told what 
the error-correction code is, all strings consistent with the given error-correction 
code (the given r subparities) are equally probable, while other strings are ex- 
cluded. Full analysis of this case is given in Chapter |], leading to a proof that 
privacy amplification is still effective when the error-correction data is avail- 
able to Eve. In Chapter |] we also extend this result to various other collective 
attacks, strongly suggesting security against any collective attack. 
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2.4 Collective Attacks and the Ultimate Secu- 
rity 

Our approach solves interesting problems regarding security against collective 
attacks, but the more puzzling question regarding our approach is whether it 
can also provide a route to the proof of the ultimate security. Unfortunately, 
the proof is not available yet, but we have intuitive arguments suggesting that 
it exists, based on a randomization argument. 

The randomization procedure is a very important step in any protocol for 
quantum key distribution. Bob chooses randomly the basis in which he performs 
his measurements (in either of the schemes). Alice and Bob choose randomly 
the qubits which shall be used and thrown away in the error-estimation step. 
Also, they randomize the bits before choosing any error-correction code, and 
they choose randomly which parity bits will form the final key. At the time 
Eve holds the transmitted particles she has no knowledge of the relevant qubits 
for each of these steps. A correct guess would surely help her, putting her in 
a position more similar to Bob's. However, the probability of guessing each 
of these random steps (i.e., Bob's basis, the bits left after error estimation, the 
error-correction code for a randomized string and the substrings used for privacy 
amplification) is exponentially small with the length of the string. Hence, the 
average information which result from such a guess is exponentially small. 

Thus, we conjecture that she cannot gain information by searching or by 
creating correlations between the transmitted particles; it is better for her to 
keep one separate probe for each particle, and to perform the measurements 
after obtaining the missing information as is done in the collective attacks. Any 
attempt of creating such coherent correlations at the first step of the attack 
induces errors, while it cannot lead to a noticeable increase in the resulting 
average information; Searching for exponentially many such correlations could 
help Eve, but it would also cause an appropriate induced error rate. 

Unfortunately, proving this intuitive argument is yet an open problem. 

A simplified approach to prove this can be based on providing Eve with most 
of the missing details by choosing in advance (and telling her) all relevant data 
(the bits used for error estimation, the error correction code, and the privacy 
amplification code) except for the basis used by Alice and Bob. Furthermore, 
we can also let her have all the particles together. Despite all this, as long as 
she does not know the basis used by Alice and Bob, she cannot know which 
bits will form the raw data, and the collective attack will probably be her best 
attack. 

2.5 An Alternative Approach 



As we were working on this research, Yao ||109| and Mayers J76| suggested an- 
other approach to the security problem. 
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Yao |109| claims to prove security of OT (assuming secure BC) in case of 
error-free channel, and this proof applies to key distribution (even if secure 
BC does not exist) based on reduction from OT, suggested by Mayers |75 



This important result is certainly not surprising. It translates the "no clean 
imprint" theorem to a calculation, which takes error correction and privacy 
amplification into account: if Eve is not permitted to induce errors, she can 
gain only exponentially small information. The main achievement of this proof 
is that it does not limit Eve in any way, thus it is the first work which considers 
a quantum eavesdropper. It considers the quantum state Eve obtains versus the 
quantum state she sends further to Bob, and not the density matrices available 
to Eve. Since the state obtained by Bob must be very similar to the one sent 
by Alice, Eve gain only exponentially small amount of information. 

Going to real channels the situation is different, since Eve can certainly gain 
information on each transmitted particle. When Eve attacks in a way which 
induces constant (but permitted) error rate, the probability that she will be 
noticed does not approaches one in the limit of large strings, but remains zero. 
In this case, we believe that it does not suffice to consider the difference between 
Bob's state and Alice's state, since it shall not be negligible anymore. Instead, 
one have to investigate Eve's density matrices as a function of that difference. 
Surprisingly, Mayers claims JF6| that it is possible to extend Yao's result to 



real channels, without analyzing Eve's density matrices. We do not understand 
Mayers' proof well enough and at the moment we believe that it cannot be 
correct. It is important to state that various security proofs claimed in the past 
were later on found to be wrong (e.g., to be based on a hidden assumption). 
Mayers' result is not yet accepted by the general community, and furthermore, 
it was not published in a refereed journal. Till this claim is clarified, we must 
assume that the problem is still open. 

Even if Mayers' proof will be found correct and complete in the future (or 
will lead to a complete proof), our approach might still be crucial: it is possible 
that their approach is limited to deal with extremely small error rates only, or 
that it requires much longer strings compared to our approach. 
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Chapter 3 
The Parity Bit 



A major question in quantum information theory |65| , [34] , p4| , |86| , |69| , [49| is "how 
well can two quantum states, or more generally, two density matrices po an d 
Pi, be distinguished?" In terms of a communication scheme this question is 
translated to an identification task: A sender (Alice) sends a bit b — i (i — 
0; 1) to the receiver (Bob) by sending the quantum state pi, and the receiver 
does his best to identify the value of the bit, i.e., the quantum state. The 
two-dimensional Hilbert space 7i 2 is usually used to implement such a binary 
channel. The transmitted signals can be polarization states of photons, spin- 
states of spin-half particles, etc. The transmitted states may be pure states or 
density matrices, and need not be orthogonal. Usually, the mutual information 
/ is used to describe distinguishability, such that 1 = means indistinguishable, 
and 1 = 1 (for a binary channel) means perfect distinguishability. The ensemble 
of signals is agreed on in advance, and the goal of Alice and Bob is to optimize 
the average mutual information over the different possible measurements at the 
receiving end. For example, two orthogonal pure states transmitted through an 
error-free channel are perfectly distinguishable; The optimal mutual information 
(/ = 1) is obtained if Bob measures in an appropriate basis. Finding the 
optimal mutual information is still an open question for most ensembles. Some 
cases with known analytic solutions are the case of two pure states, the case of 



two density matrices in two dimensions with equal determinants [B9, ^U[ and 



the case of commuting density matrices [24]]. There are no known analytic 



solutions for two non-trivial density matrices in dimensions higher than two. In 
this chapter we find a solvable case which has very important implications to 
quantum cryptography. This part of the work was done together with Charles 
Bennett and John Smolin ||15| , and with the help of Asher Peres. 

Suppose that a source produces binary string x of length n with equal and 
independent probabilities for all the digits. Let the string be encoded into a 
quantum-mechanical channel, in which the bits '0' and '1' are represented by 
quantum states (density matrices) p an d Pi of independent two-state quantum 
systems. These can be either pure states or density matrices with equal deter- 
minants. Suppose Bob wants to learn the parity bit (exclusive-OR) of the n-bit 
string and not the specific value of each bit. The parity bit is described by one 
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of two density matrices p and p™ which lie in a 2 ra -dimensional Hilbert space 
7^2™ • These parity density matrices p^ 1 ' are the average density matrices, where 
the average is taken over all strings the source might produce, which have the 
same parity p. Since the parity bit of the source string x is encoded by p^\ in- 
formation about which of the two density matrices was prepared is information 
about the parity of x. 

Let x be any classical string of n such bits, and p x = p^st bit ) . . . p^ n th ut \ 
be the density matrix made up of the tensor product of the signaling states 
P(i) corresponding to the i th bit of x. Formally, we distinguish between the two 
density matrices: 

^o n) = 7^=l Y,P* and Pi n) = ^ZT EAc, (3-1) 

x\p(x)=0 ~" x\p(x)=l 

where the sum is over all possible strings with the same parity [each sent with 
equal probability (l/2 n )] and p(x) is the parity function of x. We show a simple 
way to write the parity density matrices. We find that they are optimally 
distinguished by a non-factorizable coherent measurement, performed on the 
composite 2 n dimensional quantum system, and we calculate the optimal mutual 
information which can be obtained on the parity bit. 

We concentrate on the special case where the two signaling states have large 
overlap, which is important in the analysis of the security of quantum key 
distribution against powerful multi-particle eavesdropping attacks. We show 
that the optimal obtainable information decreases exponentially with the length 
n of the string. This result provides a clue that classical privacy amplification is 
effective against coherent measurements, limiting the ability of an eavesdropper 
to obtain only negligible information on the final key. 

The first sections deal only with the case where each bit is encoded by a pure 



state. In Section |3.1| we find a simple way to write the density matrices of the 
parity bit for any n when the signaling states are pure; We show that the parity 
matrices can be written in a block diagonal form and explain the importance 
of this fact. In Section |3]^ we investigate the distinguishability of the parity 
matrices; The optimal measurement that distinguishes them is found to be a 
standard (von Neumann) measurement in an entangled basis (a generalization 
of the Bell basis of two particles) ; We calculate exactly the optimal mutual in- 
formation on the parity bit (derived by performing the optimal measurement). 
In Section |3.3| we obtain the main result of this chapter: for two almost fully 
overlapping states, the optimal mutual information Im decreases exponentially 
with the length of the string. While exponentially small, this optimal informa- 
tion is nevertheless considerably greater than the information that would have 
been obtained by measuring each bit separately and classically combining the 
results of these measurements. We are also able to calculate the maximal deter- 
ministic (conclusive) information on the parity matrices obtained in Section RTI 



This is done in Section 3.4 where we also confirm a result previously obtained 



by Huttner and Peres |59[ for two bits. In Section |375| we repeat the calculation 
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of the optimal mutual information for the more general case where the bits are 
represented by non-pure states (in Ti 2 and with equal determinants). In Section 
|3.6| we summarize the conclusions of this chapter. In the next chapter we study 
the implications of these results to the security of quantum cryptography. 

3.1 Density Matrices for Parity Bits 

Let Alice send n bits. The possible values of a single bit (0 or 1) are represented 

by 

/coscA , , / cos a \ 

^o = . and Vi = • 3.2 

y sin ay y— sinay 

respectively. In terms of density matrices these are: 

,?> = ( i s ; ) ^ pS" = ( :] c 7 ) , (3.3) 

where we use a shorter notation s = sin a; c = cos a, for convenience, and the 
superscript [p 1 -* is explained in the following paragraph. 

The parity bit of an rz-bit string is the exclusive-OR of all the bits in the 
string. In other words, the parity is 1 if there are an odd number of l's and if 
there are an even number. The parity density matrices of n bits will be denoted 
as po and p™ in case the parity is '0' and '1' respectively. Using these density 
matrices we define also the total density matrix p^ = |(po + Pi) and the 
difference density matrix A^ = |(po — Pi )> so that 

p^ = pW + A< n > and pt ] = p< n > - A^ . (3.4) 



The one-particle density matrices (equation |3.3|) also describe the parities of 
one particle, and therefore we can calculate 

<f» = \i$ +&)=(* s °), (3.5) 

The density matrices of the parity bit of two particles are: 



tf = i(rf>tf>+ />?»#) (3.7) 

where the multiplication is a tensor product. The total density matrix is 

P (2) = lipf+P?) 

= 1 i [^(£ ) +pP) + p?(^+^ ) )} 



p<V } 
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which, by using the basis 
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in 7^4, can be written as 



p^ = p 0)p0) 



The difference density matrix is 
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The density matrices of the parity bit of n particles can be written recur- 
sively: 



leading to 



and 



#=ia i vr , +pS"pr i) ) 
p*"» = i(pr + pi- 1 ) = p (i v ( "-" 



A<») = i(p«">-p<">) = A' 1 'Al»- 1 > 
Using these expressions recursively we get 

p (n) = ( p (l))n 

which is diagonal, and 

A (n) = ( A (l))n 



(3.11) 

(3.12) 
(3.13) 

(3.14) 
(3.15) 
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which has non-zero terms only in the secondary diagonal. The density matrices 



» 



» 



Po an d Pi are now immediately derived for any n using equation ( |3.4|) : 



(n) 

Po 



(p (1) ) n + (A«)" 



and 



(n) 
Pi 



(P 



(l)\n 



(A 



(l)\n 



As an illustrative example we write po and p\ for two particles: 



/ 



(2) 

Po 



c 




VcV 











.2r,2 



cV 



cV 



cV 



cV 











c s 



o4 



\ 



. .(2) 

) Pi 



/ 



/ 



V 



c 1 





-c 2 s 2 











-cV 



-cV 
c 2 s 2 











(3.16) 



2^,2 



— C S 




o4 



(3.17) 



/ 



The only non-zero terms in the parity density matrices are the terms in the 
diagonals for any n, thus the parity density matrices have an X-shape in that 
basis. 

The basis vectors can be permuted to yield block-diagonal matrices built of 
2x2 blocks. The original basis vectors [see, for example, equation ( |3.8| )1, \bi), 
are simply 2 n - vectors where the i th element of the i th basis vector is 1 and all 
other elements are (i ranges from to 2 n — 1). The new basis vectors are 
related to the old as follows: 



K) = IV 2 ) f° r even ^ and \b[) = |6 2 «- 



■(t+l)/2 



) for odd i 



(3.18) 



The parity density matrices are now, in the new basis (we omit the ' from now 
on as we will never write the matrices in the original basis): 



P^ 






p 








7 ? [j=2(™- 1 )] 

v 



(3.19) 



where the subscript p stands for the parity (0 or 1). Each of the 2x2 matrices 

has the form 

±c n s n 



B^ 



c 2(n~k) s 2k 
±c n s n 



c 2k s 2(n-k) 



(3.20) 



with the plus sign for p = and the minus sign for p — 1, and < k < n, and 
all these density matrices satisfy Det B$ = 0. The first block (j = 1) has k = 0; 

there are f ") blocks which have k = l or k = n — 1; there are ( ™) j's which 
have k = 2ork = n — 2, etc. This continues until k = (n — l)/2 for odd n. For 
even n the process continues up to k = n/2 with the minor adjustment that 
there are only |( n ^ 2 ) j' s of A; = n/2. This enumeration groups blocks which are 
identical or identical after interchange of k and n — k and accounts for all 2 n /2 
blocks. We will see later that blocks identical under interchange of k and n — k 
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will contribute the same mutual information about the parity bit, thus we have 
grouped them together. 

With the density matrices written in such a block-diagonal form of 2 x 2 
blocks the problem of finding the optimal mutual information can be analytically 
solved. It separates into two parts: 

• Determining in which of 2 n /2 orthogonal 2d subspaces (each corresponding 
to one of the 2x2 blocks) the system lies. 

• Performing the optimal measurement within that subspace. 

The subspaces may be thought of as 2™/2 parallel channels, one of which is 
probabilistically chosen and used to encode the parity by means of a choice 
between two equiprobable pure states within that subspace (these two states 
are pure because the -Bo and B\ matrices each have zero determinant). We 
shall present in the next section the optimal measurement that yields the opti- 
mal mutual information transmissible through such a two-pure-state quantum 
channel. The channel then corresponds to a classical binary symmetric channel 
(BSC), i.e., a classical one-bit-in one-bit-out channel whose output differs from 
its input with some error probability pj independent of whether the input was 
or 1. The optimal mutual information in each subchannel is the optimal mutual 
information of a BSC with error probability Pj and is ^(Pj) = 1 — H(pj), with 
H(x) = — xlog 2 x — (1 — x)log 2 (l — x), the Shannon entropy function. The 
optimal mutual information Im for distinguishing p from p™ can thus be ex- 
pressed as an average over the optimal mutual information of the subchannels: 

2 n /2 

Im=Y, vMPj), (3-21) 

i=i 

where qj = Tr Bq = Tr Bi is the probability of choosing the j'th subchannel. 
The BSC error probability pj for the j'th subchannel depends on the subchan- 
nel's 2x2 renormalized density matrices B^ = B^/qj, and is easily calculated 
once the optimal measurement is found. For each subchannel the qj and renor- 
malized 2x2 matrices look like 



Qj = c^»-*V* + c^s^-V (3.22) 



and 



J2(n — k) g 2k +C n S v 



„ r ., I c 2(n — k) s 2k_^ c 2k s 2(n-k) c 2(n — k) s 2k _j_ c 2fc s 2(n — k) \ 1 

B [ ^ = ± c "s" c 2k s 2( n - k ) j . (3.23) 

1 c 2(n- k) g 2k i c 2k s 2(n — k) \ c 2(n- k) g 2k i_ c 2k g 2(n- k) J 

Since they correspond to pure states we can find an angle 7^ for each block 
such that the density matrices are 

/ cos 2 7 b] ±cosWsin7 W \ (3 24) 

I ± cos 7^ sin 7^1 sin 2 7^1 I 
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In our previous example of n 
form: 



2 the matrices are put in a block diagonal 
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cV 


cV 
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cV 


-cV 
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cV 


c 2 s 2 ) 
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-cV 


cV 



so that g J=1 = c 4 + s 4 ; g J=2 = 2c 2 s 2 ; and 



Bt 1] 



c 4 +s 4 

2 2 
J_ C S 

r e 4 +s 4 



^r 1 



c 4 +s 



1/2 ±1/2 
±1/2 1/2 



3-25) 



(3.26) 



3.2 Optimal Information in a Parity Bit 

Two pure states or two density matrices in H.2 with equal determinants can 
always be written (in an appropriate basis) in the simple form 



I ai a 2 \ 




(3.27) 



with ai real positive numbers such that Trp p = ai + a^ = 1. For two pure states, 
say 



—I — L"-y O <y 



—I — C-'V O -v 



(3.28) 



we already said that a standard measurement in an orthogonal basis symmetric 
to the two states optimizes the mutual information. The density matrices of 
pure states can be written as pi = (11 ± a ■ r ; )/2 with the a being the Pauli 
matrices and r = (± sin 27, 0, cos 27) being a three dimensional vector which 
describes a spin direction. Using this notation any density matrix is described 
by a point in a three dimensional unit ball, called the Poincare sphere (also 
called the Bloch sphere). The pure states are points on the surface of that 
sphere and the above two pure states have x = ±2a 2 = ± sin 27. With the 
density matrix notation the optimal basis for distinguishing the states is the x 
basis. Note that all angles are doubled in this spin notation, so that the angle 
between the two states is 47, and the angle between the basis vector and the 
state is | — 27. The measurement of the two projectors 



A. 




and 



yields 



P e = Tr Pl A_ 



1 
2 



.4, 



a 2 



1/2 



■1 



1 

2 



sin 27 



(3.29) 



(3.30) 



which recovers the result of equation ( |2.7|) in case of pure states obtained in 
Chapter |2|. However, the treatment of density matrices is more general and this 
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is the optimal measurement also in the case of deriving block-diagonal matrices 



for the parity of string of non-pure states with equal determinants |69], |49| , when 



Pi of equation (|3.3| ) are replaced by pf m of equation ( [3.63D and fl3.64|) of Section 



3Tq , and this case is also described by a BSC. The only difference between the 
matrices is that Detp p = for pure states and < Detp p < -r for density 
matrices. 

Instead of measuring the density matrices in the x direction we perform the 
following unitary transformation on the density matrices 

U=l/y/2[] \) (3.31) 



to obtain p' = UpW which is then measured in the z basis. Note that the 
transformation transform the original z-basis to x-basis (the motivation for this 
approach will be understood when we discuss the 2x2 blocks of the parity 
matrices). The new density matrices are 



Po'= Ca? i \ 5Pi'= W i * (3-32) 





and their measurement yields the probability | ± a-i to derive the correct (plus) 
and the wrong (minus) answers (as we obtained before), leading to optimal 
mutual information of 

h(\-a 2 ), (3.33) 

which depends only on a 2 . Note that the same information is obtained in case 
a\ and a 3 are interchanged. Now, instead of considering the information as a 
function of 7 we have it as a function of a 2 , and we can apply it directly to the 
blocks Bgi of the previous section. 

Let us now consider the information one can obtain on the parity bit. The 
naive way to derive information on a parity bit of n particles [each in one of the 
states (^gfifo,)] is to derive the optimal information on each particle separately 
and calculate the information on the parity bit. This individual (or single- 
particle measurement) is the best Bob can do in case he has no quantum memory 
in which to keep the particles (which, usually arrive one at a time) or he has no 
ability to perform more advanced coherent measurements. The optimal error- 
probability for each particle is Q e = if 2a , and the probability of deriving the 
wrong parity bit, derived in the previous chapter (eq. |2.10| ) is Q^ = \ _ i£l£_^i_ ) 
and the mutual information in this case was found to be 

- ^|^) ■ (3.34) 

As we previously said, the derivation of useless side-information on the indi- 
vidual bits indicates that Bob might be able to do much better by concentrating 
on deriving only useful information. The optimal measurement for finding mu- 
tual information on the parity bit is not a single-particle measurement, but is 
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instead a measurement on the full 2"-dimensional Hilbert space of the system. 
In general, optimizing over all possible measurement is a very difficult task un- 
less the two density matrices in 7i 2 « are pure states. However, in the preceding 
section we have shown how to reduce the problem to that of distinguishing the 
2x2 blocks of our block-diagonal parity matrices. We now have only to apply 
the optimal single-particle measurement to the 2x2 B^'s of equation ( |3.23| ) and 
use the result in equation (|3.21| ). 

The error probability (equation p.30|) for distinguishing the ZJ^'s of equa- 
tion (|3.23|) is seen to be: 



P., 



c 2(n-k) s 2k _i_ £ 2fc g2(n-k) 



(3.35) 



from which the information ^{Pj) in each channel is obtained. Plugging the 



error probability pj (equation p.35|) and the probability of choosing the j'th 
subchannel qj (equation |3.22| ) into ( |3.21| ), the optimal information on the parity 
bit is now: 



IM 



2 n /2 

y- ( c 2{n-k) s 2k _|_ c 2k s 2(n-k)\ 



c 2(n-k) g 2k I c 2k s 2(n-k) 



(3.36) 



For various simple cases we can see the implications of this result, and further- 
more, we can compare it to the best result obtained by individual measurements. 
In the simple case of orthogonal states (a = |) all these density matrices are 

/ , \ n— 1 

the same and we get % = ( 5 ) , Pj = and Im = 1 as expected. 



A brief remark is in order at this stage. The transformation to the x 
basis for each 2 by 2 matrix, B^ 1 '^ is actually a transformation from a 
product basis to a fully entangled basis of the n particles. That basis is a 



generalization of the Bell basis of |26 . 






(3.37) 



,,, ^w.n^A-uuoL (338) 

etc. The Bell basis for two particles is frequently used and its basis con- 
tains the EPR singlet state and the other three orthogonal fully entangled 
states. 

For large n, the number of blocks is exponentially large and performing 
the summation required in equation fl3.36|) is impractical, since all the 2 n ~ 1 
matrices must be taken into account. However, that problem can be simplified 
by realizing that all blocks with a given k, as well as all blocks with k and n — k 
interchanged, contribute the same information to the total. This is easily seen 
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in equation ( p.36| ) where both the weight and the argument of I2 are symmetric 



in k and n — k. The optimal mutual information for even n is then 

ie M n = E (?W(p fe ) + \{Vj^h{p^) , (3.39) 



and for odd n 



rodd ^— - ' n 




C=L(Jft%). (3-40) 



As an example we calculate Im for n = 2 (of course, the counting argument 
is not needed in that case). This particular result complements the result in 



d]| where the deterministic information of such a system is considered (see also 
Section |3~4l ). In the new basis ( |3.32|) the density matrices of (equation |3.26|) 
become 



1 c —s \ / 1 /o c s 1 c 



6'(fe=0) _ ( V 2 + ^T^ 2^TF I • R'( fc =0) _ f V 2 ,.i + ,.i o,.i + ,! 

~ 1 c 4 -s 4 1 /o c 2 s 2 ' -°1 — I 1 c 4 ~s 4 1 /o 1 c 2 s 

V 2c 4 +s 4 i / Z c 4 +s 4 / V 2c 4 +s 4 ± / Z "^c 4 + 



and 




Br 1 ' = ; A' 1 - = I X : I ■ (3.«) 




We use the notation S = 2sc = sin 2a; C = c 2 — s 2 = cos 2a (hence, c A — s A = C 
and c 4 + s 4 = ^) to obtain qi = 2c 2 s 2 = § , p x = 0, g = |(1 + C 2 ) 
and p Q = -Sjji (the g/s were obtained in the previous section). The mutual 
information of the parity of two bits is obtained using equation ( p. 21 ) 



hi = qohipo) + qih(p 



3.3 Information on the Parity Bit of Almost 
Fully Overlapping States 

The case of almost fully overlapping states is extremely important to the analysis 
of eavesdropping attacks on any quantum key distribution scheme. In this case 

2 

the angle a is small so s = sin a ~ a and c = cos a ~ 1 — ^-. To observe 
the advantage of the coherent measurement, let us first recall that the optimal 
information obtained by individual measurements [with Q^ 
calculated to first order for small a, is (see |2.15|) 

(2a) 2 " 
Iq p» - — - — . 
b 21n2 



1 (2a)" 

2 



(3.43) 



We use the same approximations used in Chapter 0, and equations ( |3.35|) 



and (|3.22|) to calculate the leading terms in the optimal mutual information 
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(13.391) and ( |3.40|) . For k — f (n even) we get pk = (regardless of the small 



angle) and 

7 2 (pn) = 1 . (3.44) 

For k < | we get Pfc~| — ^f~| — a n ~ 2k which yields [using equation (|2.14j) 
with r] = a n ~ 2k ] 

h(p k ) « i^« 2n " 4fc • (3-45) 

The coefficient g^ = « 2fc for A; < | and g^ = 2a 2fc for A; = |, so that 

qMvu) « j^« 2(n " fc) (3-46) 

for fc < |, and 

g fc / 2 (p fc ) « 2a" (3.47) 

for k = \. The dominant terms are those with the largest k, that is, k closest 
to |. The next terms are smaller by two orders in a. The number of density 
matrices with these fc's are also the largest (up to a factor of 2 in case of even n). 
Therefore, the terms k = ~ for even n and k = ^=i for odd n are the dominant 
terms in the final expression. Thus, for almost fully overlapping states, the 
mutual information is 

7 « ~2( f j 2Q -y° 

for even n, and 

^°f-(^) r ^« n+1 (3-48) 

for odd n. 

These expressions can be further simplified. The number of density matrices 
of any type is bounded (for large n) using Stirling formula (see |73j in the chapter 
on Reed-Solomon codes) 

/ \ 2 nH{kln) 

< . 3.49 

W ^2n(k/n)(l-k/n)n 



For k near |, 77 = | — - is small, and the standard approximation (|2.14|) : 



H « l-0(r? 2 ) = 1-0 f(i - A;/n) 2 ) < 1 is used to derive (?) < 2 " 

Using also k/n(l — k/n) ~ | — ^ 2 , we derive 

/VA 2 n 

< 7 =(l + 0(r / 2 )). (3.50) 

Thus the leading term in I M is 

2 n /7T~ 

I M < -=a n = (2a) n /J-n (3.51) 
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for even n and 

h > < tot"" 1 = i?w/\l¥ < (2a ^Jr < 3 - 52 > 

V 2 

for odd n (using a < In 2/2). We see that we could keep a better bound for odd 
n but for simplicity we consider the same bound for both even and odd n's. 

We can now compare the optimal information Im from a coherent measure- 
ment on all n particles to the optimal information I5 from separate measure- 
ments (cf. eq. |3.43| ): 

I M = 0(1) x (2a)W" 
Is = 0(1) x (2a) 



(3-53) 



Since a is a small number (corresponding to highly overlapping signal states), 
the coherent measurement is superior to the individual measurement by an 
approximate factor of (2ot)~ n . However, it is only superior by a polynomial 
factor, since 

I M -\fT s . (3.54) 

3.4 Deterministic Information on the Parity Bit 

For a single particle Bob can perform a different kind of individual measurement 
which is not optimal in terms of average mutual information but is sometimes 
very useful [|], [86[ . It yields either a conclusive result about the value of that bit 
or an inconclusive one, and Bob will know which of the types of information he 
has succeeded in obtaining. Such a measurement corresponds to a binary erasure 



channel [BG, [59], 45|. With probability p? of an inconclusive result, the mutual 
information is I Pl = 1 — p?. The minimal probability for an inconclusive result 
is cos 2a leading to I p? = 1 — cos 2a |86| . This result is obtained by performing 
a generalized measurement (Positive Operator Value Measure |86], [>|, |6l| ) on 
the system or a standard measurement performed on a larger system which 



contains the system and an auxiliary particle |86|, |60|. Note that this results in 
less mutual information than the optimal measurement for one-particle mutual 
information. If Bob uses this type of measurement on each particle separately 
his deterministic single-particle information about the parity bit is (1 — cos2a) n . 
We now use the block-diagonal density matrices derived in Section |3J] to 
derive also the optimal deterministic information on the parity bit. We note 
that each of the 2x2 blocks in the block-diagonal density matrices is the 
density matrix of a pure state, so we may replace the optimal measurement 
in each subchannel with the optimal deterministic measurement and proceed 
as before. The total optimal deterministic information is easily calculated by 
replacing -^(Pfc) in ( 3-39 ) and ( 3.40 ) by I{p? k ) = 1 — p? k - To find the minimal 



P? fe we recall that each of the normalized density matrices B^ n ' k ^ corresponds to 
pure states ( |3.24j ) with some angle 7. Comparing with equation ( |3.23|) we can 
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write the overlap as the difference between the diagonal terms of the density 
matrices 

2(n-fc) 2fc _ 2k 2(n-k) 

V , = cos(2 7 ) = cos 2 7 - sin 2 7 = c2(ra _ fc)g2fc + c2fcg2(ra _ fc) , (3.55) 

hence 

2(n-k) 2k _ 2k 2(n-k) 
-'IP? J = 1 — c 2(n-k) s 2k _|_ c 2k s 2(n-k) ' (3.56) 

The total information is 



' n\ w . 1 / n 



^ en = e ^jft j (wj + 2 y 9f 7 (^/ 2 ) > ( 3 - 57 ) 



for even n, and 



re-l 
2 



^ = EQft%J (3-58) 

for odd n. 

For n = 2 we recover a result previously obtained by Huttner and Peres 
|p5fl by performing the optimal POVM on the first pair of density matrices of 
equation (|3.26| ), and a measurement in the entangled basis (as before) on the 
second. The probability of an inconclusive result is cos 2 7 — sin 2 7 = ° 4 ~^ 4 = 
jj^a , hence the optimal deterministic information is 1 — 1 ^ 2 , leading to the 
total deterministic information 

Id = qiI D ( P ?) + g 2 / 2 (p 2 ) = \{l + C 2 )(l - 2^^) + y = 1 - C , (3.59) 

which is exactly the result obtained by Huttner and Peres (note, however, that 
they used an angle which is f — a hence derived 1 — S for the deterministic 
information). 

For almost overlapping states (small a) the dominant terms are still the 
same as in the case of optimal information. The term q^ is as before and the 
information in each port is 

/(pO = 1 (3.60) 

for k = I and 

„2n— 4fc „2n—Ak 

J(PO = 1 - ^-4*^-4* = 1 " (1 - « 2n " 4fc ) 2 = 2 « 2n " 4fc ( 3 - 61 ) 

for k < § . Taking into consideration only the dominant term we get 



n 

\2/ 



revert _. I 1 _ n 

in ~ „ a 



for even n which is the same as the optimal information, and 



\ 2 



2a n+1 (3.62) 



for odd n which is smaller than the optimal mutual information by a factor of 
i 

In 2' 
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3.5 Parity Bit for Density Matrices of Mixed 
States 

The previous discussion assumed that p£> are pure states. The generalization 
to the case of density matrices with equal determinants is straightforward. Let 
the bit '0' and the bit '1' be represented by 



and 



rf" = (-(«- rt " ( T r) )' < 3 ' 64 > 



(with s = sin a etc., and r < sc) which contains the most general density ma- 
trices of the desired type. On the Poincare sphere these density matrices have 
the same z components as the previously written pure states but smaller x com- 
ponents (hence smaller angle a'). We could choose other ways of representing 
these density matrices, e.g., with identical x components and smaller z com- 
ponents. Such representations are appropriate for comparison with pure states 
(since they yield the same mutual information for a single particle) but are less 
convenient for showing that the previous result is easily generalized. 
Clearly 

P m <™ = irf' + Pi") = ( o s °). P- 65 > 

A«- = ia»-rf>) = ( sc °_ r V)' < 3 - 66 > 

The total density matrix doesn't change and the difference density matrix has 
terms (sc — r) n instead of (sc) n . Reorganizing the basis vectors we again get 
the block diagonal matrices where each of the 2 by 2 matrices has the form 

Br = { ?r )S l 1 C V4" ) • (3.67) 

p \ ±(cs — r) n c Zk s Z( - n k) ) v ' 



When normalized, these density matrices have the form of equation ( |3.27| ) and 



are optimally distinguished by measuring them in the x direction. Transforming 
to the x basis as before we get the same 

qk = c 2(n-k) s 2k + c 2k s 2(n-k) ^gg) 

as before, and 

1 (cs — r) n 

P k = 2 ~ c 2{n-k) s 2k _\_ c 2k s 2(n-k) ' (O.09) 

The total information can now be calculated as before by assigning these pk 
and qk into equations ( |3.40| ) and ( |3.39| ) . Thus, the case of mixed states is also 
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analytically solved for any number of bits, and the influence of mixing on the 
optimal mutual information is through the Pfc's. 

Calculating the optimal information for small a and any r is possible but 
complicated. A much simpler alternative is to find a bound on the optimal 
information using pure states with the same angle, a', on the Poincare sphere, 

using 

, sin2a-2r 

tan 2a = , (3.70) 

cos 2a 



or using an alternative form for the mixed states ( |3.63| ) and ( |3.64p . 



3.6 The Connection to Quantum Cryptogra- 
phy 

In this chapter we solved a problem in quantum information: suppose Bob is 
given n particles, each in one of two possible states (either pure or mixed in 
2-d with equal determinants). How much mutual information can he extract 
on the parity bit and what is the optimal measurement? The density matrices 
describing the parity bit are very complicated and have 2 n dimensions. Thus, it 
is very surprising that the optimal information can be calculated, since previous 
results consider much simpler case (e.g. density matrices in 2-d). 

This result is important to the analysis of privacy amplification, and has 
crucial impact on quantum cryptography. Previously, it was known that pri- 
vacy amplification is effective when particles are not measured together, but 
its effectiveness against coherent measurements was in question. Our result 
provides the optimal measurement which can be done to find a parity bit. In 
particular cases, when almost fully overlapping states are used, we proved two 
complementary results regarding that optimal measurement: 

• The optimal information Im obtained by allowing all possible measure- 
ments is much larger than the one (Is) obtained by measuring each bit 
separately. 

• The optimal information Im is still exponentially small with the length of 
the string. This is an effectiveness result classical privacy amplification 
techniques are effective against any quantum measurement. 

Our "effectiveness result" leads to the derivation of strong security results 
against sophisticated attacks directed against the final key. However, such anal- 
ysis is much more complicated since it involves the key distribution protocol in 
real channels, and because Eve is exposed to classical information in addition 
to the quantum information. This is the subject of the next chapter. 
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Chapter 4 

Security Against Collective 
Attacks 



The discussion of the previous chapter treats an imaginary scenario which is 
very general but is not general enough to deal with the common situation in 
quantum cryptographic protocols. Still, it provides some basic tools required 
for such an analysis. 

The basic differences from the situation previously described are: 

• Eve probes states transmitted from Alice to Bob rather than fed by Alice; 
Thus, she has some freedom in choosing the states she obtains. 

• In addition to the quantum information (the possible states of the probes) 
Eve obtains classical data; The state of Eve's probes is information- 
dependent, and this fact must be taken into account in calculating the 
optimal information, and also in the optimization process. 

These differences create a more complicated situation where the final measure- 
ment must be optimized, not by itself, but together with the probing process. 

As far as quantum cryptography is concerned, this chapter provides strong 
evidences that quantum key distribution is secure. As far as physics is con- 
cerned, this chapter contains interesting examples for information-dependent 
quantum states. Another achievement is the development of new type of bounds 
on the information which can be extracted from quantum states. 

To emphasize the importance of the "effectiveness result" obtained in the 
previous chapter let us consider the scenario which is common in quantum key 
distribution schemes: Alice and Bob (the legitimate users) try to establish a 
secret key. They use any binary scheme and Alice sends V particles (see Sec- 
tion |1.4j ) through a noisy channel to Bob. An adversary, Eve, is trying to learn 
information on their key. She gets the particles one at a time, interacts with 
each one of them weakly (on average), and sends it forward to Bob. She must 
interact weakly with each particle if she wants to induce only small error rate 
(or alternatively, she could attack strongly only a few of the particles, but pri- 
vacy amplification is already proven effective against such type of attack ||). 
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Although the specification of the privacy amplification technique is announced 
after the transmission is over, Eve can keep a quantum state of a system which 
has interacted with all the transmitted particles, and use it after all the speci- 
fication is announced. Security against such joint attacks in error-free channels 



is shown in ||109| . Our main goal is to obtain a concrete bound on Eve's infor- 
mation for a given error rate, and show that it reduces to zero, if large strings 
are used. Typically, one would like to consider the case where Alice and Bob 
use existing technologies, while Eve is restricted only by the laws of physics. 

In the first sections we concentrate on symmetric collective attacks in which 
the same translucent attack is applied to each transmitted particle, and the 
attack is symmetric to any of the possible quantum states of each particle. 
Such an attack induces the same probability of error to each transmitted bit. 
It must be weak, or else it would induce a non acceptable error rate. Thus, the 
possible states of Eve's probe cannot differ much. 

In Section [O] we design a specific case in quantum key distribution where 
each of Eve's probes is in one of two pure states (with small angle between 
them), so the efficiency result of the previous chapter can be applied. We 
also incorporate error correction as is done in any realistic protocol and thus 
the analysis becomes more complicated. This part was done together with Eli 
Biham and Dominic Mayers and with the help of Gilles Brassard and John 



Smolin. It was published with Eli Biham in p0| . Sections [4.2|, [4.31 were done 



with Eli Biham pifl . In Section [4.2| we present new bounds on the information 



which can be extracted from mixed states in case the result regarding pure states 
is known. In Section [4.3| we combine the results of the previous sections and 
the fact that density matrices in Eve's hands are information-dependent and 
we calculate Eve's optimal information for various symmetric collective attacks. 
We show how to prove security against any symmetric collective attack which 



uses 2-dimensional probes. In Sections [14] and [4.5| we discuss the relevance 
of the previous result to non-symmetric collective attacks and to the optimal 
collective attack. 



4.1 The Simplest Case — Eve's Probes are in 
One Out Of Two Possible Pure States 

In this section we consider the two-state scheme and devise a specific attack 
against it. In the two-state ||] scheme the classical bits '0' or '1' are represented 
by two non-orthogonal pure states, which can be written as 





rh=r : and fc = _ (4.1 



respectively. Alice sends V such qubits. Bob performs a test which provides 
him with a conclusive or inconclusive result. For instance, he can test whether 
a specific particle is in a state i/j or a state orthogonal to it ipo = (_ S ™ S J; A 
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result tpo is treated as inconclusive (since it could also be ipx sent by Alice), 
and a result i[)q is identified as ip\. Alternatively, he could test if a particle is 
in a state ipi or a state orthogonal to it ipi = (!™J, and identify a result ip[ 
conclusively as ip®. Bob informs Alice which bits were identified conclusively, 
using the unjammable classical channel, and these bits are the raw data. Later 
on, they check the error rate on the raw data, and if it is reasonable, they use 
the remaining n bits to obtain a (hopefully secure) final key. The errors are 
corrected using any error- correct ion protocol. Finally, the parity of the full n- 
bit string is used as their final one-bit key (Of course, for practical purposes our 
approach must be generalized to yield a longer final string). 

Our first example of a collective attack is based on the "translucent attack 



without entanglement" of [45[, which leaves Eve with probes in a pure state. 

tion 

(4.2) 



The translucent attack without entanglement uses the unitary transformation 

cos a \ 




± sin a , 



where 9' is the angle of the states received by Bob, and a is the angle of the 
states in Eve's hand. The error rate is the probability of wrong identification 
and it is p e = sm 2 (9 — 6'). Using the unitarity condition cos 29 = cos 29' cos 2a 
we get for weak attacks that 

a= (p e tan 2 29) 1/4 . (4.3) 

This translucent attack is performed on all the bits, and it leaves Eve with n 
relevant probes, each in one of the two states (±J, with c = cos a and s = sin a. 
As a result, Eve holds an n-bit string x which is concatenated from its bits 
(x)i (x)2 ■ ■ ■ (x) n - For simplicity, we choose the final key to consist of one bit, 
which is the parity of the n bits. Eve wants to distinguish between two density 
matrices corresponding to the two possible values of this parity bit. Our goal is 
to calculate the optimal mutual information she can extract from them. 

For our analysis we need some more notations. Let h(x) be the number of 
l's in x, and p(x) be the parity of x. For two strings of equal length x y is 
the bitwise "AND", so that the bit (x © y)i is one if both (x)i and (y)i are one, 
and zero otherwise. Also x ffi y is the bitwise "XOR", so that (x © y)i is zero 
if (x)i and (y)i are the same, and one otherwise. For k (independent) strings, 
V\, . . . ,Vk, of equal length let the set {v}k contain all the 2 k linear combina- 
tions of v i, . . . , Vk (including the string v = 00 ... 0): (t>o), (^l), • • • , {vk), ( v i © 
v 2 ), {vi®v 3 ),..., {v k -i®v k ), (v 1 Q)v 2 ®v 3 ), ...(v 1 Q)v 2 ...Q)v k ). Since the (orig- 
inal) k strings are linearly independent these 2 k strings are all different. The 
quantum state of a string is the tensor product 



A 





I ccc . . . ccc \ 

±CCC . . . CCS 

\ ±sss . . . sss J 



(4.4) 
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living in a 2 n dimensional Hilbert space. The sign of the z'th bit (in the middle 
expression) is plus for (x), = and minus for (x)j = 1. The sign of the j'th 
term (J — . . . 2 n_1 ) in the expression at the right depends on the parity of the 
string x j and is equal to (— iy( x& i\ The density matrix p x = ip x ip x also has 
for any x, the same terms up to the signs. We denote the absolute values by 
Pjk = \(Px)jk\- The sign of each term (p x ) jk is given by 

/_^\p(xQj)/_-^\p(xQk) __ f^\p[xG(j®k)] _ (4.5) 

A priori, all strings are equally probable and Eve needs to distinguish be- 
tween the two density matrices describing the parities. These matrices were 
calculated and analyzed in Chapter [3] (henceforth, the BMS work fI5f). If Eve 
cannot obtain the error-correction code her optimal information on the parity 
bit is given by ( |3.39| ) and ( |3.40| ) . To leading order in a it is given by ( |3.48[ ) and 
it is 

I e M n =^Y k (4.6) 

for n = 2k, and 

Wl'^M 2 *)^ (4 - 7) 




I(n) = c , )a 2t (4.i 



for n = 2k — 1. Thus, 



with c = 1 for n = 2k and c = 1/ In 2 for n = 2k — 1. 

In case Eve is being told what the error-correction code is, all strings consis- 
tent with the given error-correction code (the r sub-parities) are equally prob- 
able, and Eve need to distinguish between the two density matrices: 

Po = ^ZT Z^ A* ! Pi - ^ttt L P- ( 4 - 9 ) 

I U OECW ^ I U OECCj 

where OECC is a shortcut for Obeys Error- Correction Code. 

Let us look at two simple examples where n = 5: one with r = 1 and the 
other with r = 2. Suppose that the parity of the first two bits, (x)i and (a;) 2, is 
Pi = 0. Formally, this substring is described by the n-bit string v± = 24 which 
is 11000 binary; The number of l's in the first two bits of a string x is given 
by h(x t>i), and x obeys the error-correction code if p(x V\) = p\. Let Vd 
be the binary string (11111 in this case) which describes the substring of the 
desired parity. Eve could perform the optimal attack on the three bits which 
are left, or in general, on v\ © Vd- For any such case, the optimal attack is given 
by the BMS work and the optimal information depends only on n{v\ © Vd), the 
Hamming distance between the two words. This information [using eq. (|4.8|) ] is 




(4.10) 
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with c = 1 for even n (which equals to 2k) and c = l/ln2 for odd n (which 
equals h = 2k — 1). 

Suppose that Eve gets another parity bit P2 = 1 of the binary string 01100 
(t>2 = 12). Now, a string x obeys the error- correct ion code if it also obeys 
p{x V2) = P2- Clearly, it also satisfies p[x (v 1 © i^)] = p\ ©P2- In the general 
case there are r independent parity strings, and 2 r parity strings in the set {v } r . 
The BMS result cannot be directly used, but it still provides some intuition: 
For each word (i.e., each parity string) Vi G {v } r , let J(ri(f;©f rf )) be the optimal 
information Eve could obtain using (|4.10|) . Also let I sum be the sum of these 
contributions from all such words. In reality Eve cannot obtain I sum since each 
measurement changes the state of the measured bits, hence we expect that I sum 
bounds her optimal information Itotai'- 

Conjecture 

I total < Isum ■ (4-11) 

On the other hand, Eve knows all these words at once, and could take advantage 
of it, thus we leave this as an unproven conjecture. 

In the following we find an explicit way to calculate the optimal information 
exactly. However, this exact result requires cumbersome calculations, thus it is 
used only to verify the conjecture for short strings. 

The parity of the full string is also known since the density matrix p( n ' r+1 ) 
corresponds to either Po or Pi depending on the desired parity p r+ i, thus 
we add the string t> r +i = t> d . There are r + 1 independent sub-parities altogether, 
hence 2 r+1 parity strings in the set {v } r +i- A string x is included in p( n,r+1 ) if 

p[xQvi}=pi (4.12) 

for all given substring in {v } r +i In the BMS work (where r = 0) the parity 
density matrices were put in a block diagonal form of 2 n ~ 1 blocks of size 2x2. 
This result can be generalized to the case where r parities of substrings are 
given. There will be 2 n_r_1 blocks of size 2 r+1 x 2 r+1 . We shall show that the 
(j/c)'th term in a density matrix p( n ' r+1 ) of r + 1 sub-parities is either zero, pjk or 
—Pjk, that is, either all the relevant strings contribute exactly the same term, or 
half of them cancels the other half. The proof can be skipped in a first reading. 

Theorem 

The element (p^ n ' r+1 - ) )jfc is zero if j © k ^ {v} r+ i, and it is ±pjk if j © k E 
{v} r+1 . 

Proof 

In case 



choose C such that 



j © k $ {v} r+1 (4.13) 

p[CQ Vl ]=0 (4.14) 
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with all (uj)'s in {t>} r +i and 

p[CQ(j®k)} = l (4.15) 

(many such C's exists since C has n independent bits and it needs to 
fulfill only r + 2 constraints). For such a C and for any x which obeys the 
error-correction code there exist one (and only one) y, y = x © C, which 
also obeys the code (due to the first demand) but has the opposite sign in 
the jfc'th element (due to the second demand), so (p y )jk = — (Px)jk (due 
to eq. POJ). Since this is true for any relevant x, we obtain 



(p {n ' r+ %k = . (4.16) 

In case 

]®ke {v} r+1 (4.17) 

such C cannot exists, and all terms must have the same sign: Suppose 
that there are two terms, x and y with opposite signs. Then C = x © y 
satisfies the two demands, leading to a contradiction. 

QED 

This theorem tells us the place of all non- vanishing terms in the original order- 
ing. The matrices can be reordered to a block- diagonal form by exchanges of 
the basis vectors. We group the vectors s, s ffifi, etc., for all (f/)'s in {t>} r+ i to 
be one after the other, so each such group is separated from the other groups. 
Now the theorem implies that all non-vanishing terms are grouped in blocks, 
and all vanishing terms are outside these blocks. As a result, the matrix is 
block-diagonal. This forms 2 n_r_1 blocks of size 2 r+1 x 2 r+1 . All terms inside 
the blocks and their signs are given by eq. Q4.4D and ( |4.5| ) respectively up to 
reordering. The organization of the blocks depends only on the parity strings 
vi and not on the parities pi, thus, p^ and Pi are block diagonalized in the 
same basis. The rank of a density matrix is the number of (independent) pure 
states which form it, and it is 2 n ~ r ~ 1 in case of the parity matrices [eq. Q4.9|) 1. 
When these matrices are put in a block diagonal form, there are 2 n_r ~ 1 (all 
non- zero) blocks. Thus, the rank of each block is one and the corresponding 
state is pure. When a block is fully diagonalized to yield 



B m 



( dj ... \ 
... 
... 



\ o o o ... o/ 



(4.18) 



the non- vanishing term a,j in the j'th block is the probability that a measurement 
will result in this block. 

In the BMS work (r = 0), the information, in case of small angle, was found 
to be exponentially small with the length of the string. When each probe is in 
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a pure state, this result can be generalized to r > as follows: The optimal 
mutual information carried by two pure states (in any dimension) is well known. 
The two possible pure states in the j'th block of Pq and p\ can be written 
as (+°ijffl)- The optimal mutual information which can be obtained from the 
j'th block is given by the overlap (the angle /3 j) 

Ij -, = 1 + Pj hgpj + (1 - Pj )log(l - Pj ) , (4.19) 

where 

ft = i^f^ ; (4.20) 



The overlap is calculated using eq. ( |4.4| ) and (|4.5|) . Thus, for any given error- 
correction code, we can find the two pure states in each block, the optimal 
information Ij, and finally, the total information 



'total 



£%V (4.21) 



We did not use the value of Vd in the proof, and thus, the final key could be 
the parity of any substring. Moreover, we intend to develop similar methods 
to analyze keys of several bits which can be formed from parities of several 
substrings. 

We wrote a computer program which receives any (short) error-correction 
code and calculates the total information as a function of the angle a between 
the pure states of the individual probes. We checked many short codes (up to 
n — 8) to verify whether I to tai < hum as we conjectured. Indeed, all our checks 
showed that the conjecture holds. The information for small angle a is bounded 
by 

hum = Ca 2k (4.22) 

as previously explained, where C is given by summing the terms which con- 
tribute to the highest order of eq. ( |4.1U ), and the Hamming distance n (which 



is 2k or 2k — 1), can be increased by choosing longer codes to provide any desired 
level of security. 

In addition to a desirable security level, the error-correction code must pro- 
vide also a desirable reliability; A complete analysis must include also estimation 
of the probability pf that Alice and Bob still has wrong (i.e. different) final key. 
For enabling such analysis, one must use known error-correction codes. Random 
Linear Codes allow such analysis but cannot be used efficiently by Alice and 
Bob. Hamming codes | 73f , H r which use r given parities for correcting one error 



in strings of length n = 2 r — 1, have an efficient decoding/encoding procedure 
and a simple way to calculate pf. A Hamming code has 2 r words in {v } r , all of 
them, except 00 ... 0, are at the same distance h = 2 r ~ 1 — 1 from Vd- Using our 
conjecture and eq. ( |4.10| ) (with k = 2±i = 2 r_2 ) we obtain 



^<(r-l)^(Z:l)a^ + 0(a^) . (4.23) 
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For r = 3 (n = 7) the conjecture yields /total < 60.6a 4 , where the 2 3 — 1 words 
(0111001; 1101010; 1110100 and their linear combinations 1010011; 1001101; 
0011110; 0100111) are at a distance n = 3 from v d = 1111111, and 0000000 at 
a distance h = 7. This Hamming code was presented in Section |1.4j. For the 



exact calculation we use Vd so there are 4 independent parity strings: 0111001; 
1101010; 1110100; 1111111. As a result, there are 2 4 resulting strings where 
0001011; 0010101; 0101100; 0110010; 1000110; 1011000; 1100001; 1111111 are 
added to the above. Averaging over all the density matrices which are consistent 
with such given parity strings, and organizing the matrices in a block diagonal 
form, we calculated (using the computer program) the pure states in each block 
and the resulting information obtained by the optimal measurement. The exact 
calculation also gives the same result as above, showing that the conjecture 
provides an extremely tight bound in this case. 
Using 



2(2"-) 




(4.24) 



and some calculation we finally obtain 



J total < = V¥~\2a)^ , (4.25) 



bounding /total to be exponentially small with n [which follows from 2 T '~ 1 = 
(n+l)/2]: 

/total <C(n) (2a) (™ +1 )/ 2 , (4.26) 

with C{n) = \/n + 1 ln 2 2 y= . As a function of the error rate the information is 

/total < C(n)(16j9 e tan 2 2#)( n+1 )/ 8 . (4.27) 

The rate of errors in the string shared by Alice and Bob (after throwing 
inconclusive results) is the normalized error rate, p e = p e /(p c + Pe), where 
p c = sin(9 + 9') is the probability of obtaining a correct and conclusive result. 
For small a it is p e = , 2 f 26) = 2 s ™l 2 26> a 4 . The final error probability pj is 
bounded by the probability to have more than one error in the initial string, 
since the code corrects one error. It is pj = 2 ~ (p e ) 2 + 0[(np e ) 3 ], showing 
that we can use the Hamming codes as long as np e « 1. In case it is not, 
better codes such as the BCH codes |73j (which correct more than one error) are 
required, but their analysis is beyond the scope of this work. Extracting more 
than one final bit is also possible, but is also beyond the scope of this work. 

4.2 Bounds on Information 

In terms of quantum information theory the result of eq. ( |4.26| ) (henceforth, the 
BM result) extends the BMS result to the case where parities of substrings are 

66 



given (error-correction code). For purposes of quantum key distribution, the BM 
result provides the first security proof (assuming the verified conjecture |4.11|) 
against a strong attack. However, it is restricted to attacks in which Eve's 
probes are in a pure state. Unfortunately, most possible translucent attacks on 
the two-state scheme f|], which can be used in the first step of the collective 
attack, leave each of Eve's probes in a mixed state. Also, any translucent attack 
on the four-state scheme || leaves each probe in a mixed state (at least for two 
out of the four possible states). 

The goal of this section is to apply the BM result to the case of mixed states. 
We demonstrate that any type of information which can be extracted from 
certain two-dimensional mixed states can be bounded, if the solution for pure 



states is known. In the next sections we use this bound and conjecture |4.11| to 
explicitly demonstrate, via examples, how to bound Eve's optimal information 
(for a given induced error rate). 

Any state (density matrix) in 2-dimensional Hilbert space can be written as 

P = ^P (4.28) 

so that 

P = -( 1 t Z X ~ W ) , (4-29) 

with r = (x,y,z) being a vector in TZ 3 , a = (& x ,a v ,a z ) the Pauli matrices, 
and I the unit matrix. In this spin notation, each state is represented by 
the corresponding vector r. For pure states \r\ = 1, and for mixed states 
\r\ < 1. Suppose that x an d C are two density matrices, represented by r x and 
r^ respectively. It is possible to construct the density matrix 

p = m ( + (1 - m ) x (4.30) 

from the two matrices (where < m < 1 since m and 1 — m are probabilities), 
and the geometric representation of such a density matrix p = — ^^ is 

r p = mr^ + (1 — m)r x . (4-31) 

Two pure states can always be expressed as |$ ) — (j an d |$i) = (_f s )> with 
c = cos a and s = sin a. Using the notations of density matrices 

$o = |$o>($o| ( 4 -32) 

etc. the two pure states are 

%A( l V ,'.), (4-33) 



with z = cos 2a and x = sin 2a for p = and x = —sin 2a for p = 1. If $ p is 
used to describe bit p, the receiver can identify the bit by distinguishing the two 
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pure states. Two (not necessarily pure) density matrices p p in two-dimensional 
Hilbert space, with equal determinants (which are equal to \r\) can also be 
expressed using similar form with z = \r\ cos 2a and x = ±|r| sin 2a. For two 
such mixed states let us choose a state Xm and two pure states $o, $1 such that 

p = m§ + (1 - m)xn 

Pl = m $j + (1 - m ) Xn . (4.34) 

Let I be some (positive) measure for the optimal distinguishability of two states, 
so that any operation done on them cannot lead to a distinguishability better 
than /. From the construction of ( f4.34|) , it is clear that any such measure, /, for 



optimal distinguishability must find that the two mixed states p p are not more 
distinguishable than the two pure states $ p . That is 

Theorem 

J($o;$i)>/(po;pi). (4.35) 

Proof 

Suppose the contrary J($o; $1) < I(po',pi)- Then, when one receives 
$ p he can mix them with Xn and derive a better distinguishability than 
J($o; ^i) 5 i n contradiction to the definition of I(&o; 3*1 )■ 

QED 

We can choose any measure of an optimal information carried by these sys- 
tems to describe the distinguishability. Very complicated types of information 
can be extracted from such systems, as for example, the optimal information 



on the parity of an n-bit string of such quantum bits fig , |20|| . In the case ||20|| , 
where parities of substrings are given, a solution exists only for pure states with 
small angles (the BM result). We can use this known solution to bound the 
optimal information on mixed states which are close to each other. 

Let p cms be the completely mixed state p cms = \l. Also let p^ be the pure 
state of spin down in the z direction. Two cases of (f4.34j) are useful for our 
purpose: 

a) p p = m$ p + (1 — rn)p cms , where the pure states $ p have the same angle as 
p p (see Fig. 4.1a); 

b) p p = m$ p + (1 — m)pi, where $ p (which are uniquely determined) are 
shown in Fig. 4.1b. 

The first type of bound is useful if p p have a small angle a (which satisfies 
tan 2a = x/z), so that the angle between the pure states /3 = a is also small. 
The second type of bound is useful when the 'distance' 2x between the two 
possible mixed states is small (while a might be large). In this case x is small 
and z positive hence the resulting angle (3 between the two pure states is small 
(following tan/? = tan 26 = -^ < x). Thus, in both cases the angle between 
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A. n 



a 



b 



Figure 4.1: Two ways of finding two pure states $ p from which the two density 
matrices p p can be constructed using a third state Xn common to both density 
matrices. In a), Xn = Pcms, the completely mixed state. In b), Xn =lz, the 
"down z" pure spin state. 

the two pure states is small so that I(n,(3) < C(n)(2(3Y n+1 ^ 2 (with C(n) = 
\/n + l ln2 2 /^ ) provides an upper bound on Eve's information on the final key. 
Note that our final goal is to get I(n,p e ), thus we need also to find the relation 
between p e and (3 (through the known relation with a). 



4.3 Security Against Symmetric Collective At- 
tacks 

An explicit calculation of Eve's density matrix as a function of p e must be done 
separately for any suggested attack to obtain I(n,p e ). However, the fact that 
Eve is permitted to induce only small error rate restricts her possible trans- 
formations at the first stage of the collective attack, hence, the two possible 
states of each of her probes must be largely overlapping (for a symmetric at- 
tack). Concentrating on two-dimensional probes, this implies that the second 
of the two cases above can always be used to bound Eve's information to be 
exponentially small. For certain examples - the first case is sufficient, hence 



69 



the angle between the two possible pure states can be calculated from Eve's 
density matrix directly using (3 = a. Let us show two examples in details, to 
conclude that Eve's information is exponentially small with the length of the 
string. Both examples use the same unitary transformation but are applied 
onto different quantum cryptographic schemes, the two-state scheme |4j and 
the four-state scheme ||. 

In our examples Eve uses a 2-dimensional probe in an initial state LJ. She 
performs a unitary transformation 



U 



(4.36) 



(with |0) Alice's state), where 
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(4.37) 



with c 7 = cos 7, etc. With 7 = § this gate swaps the particles 






'V 

,0, 



(4.38) 



Eve chooses a small angle 7 so that the attack is a weak swap. Let Alice's possi- 
ble initial states be \<j> p ) = (^ n0 ) in the two-state scheme, and \<f> m ) = -75 L m ) 
(with i = \/— 1 and m — • • ■ 3) in the four-state scheme. The corresponding 
final states are 



1^ ) 



( cos9 \ 
± sin 9 c 7 
± sin 9 s~, 
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/ 



/ 



1^ ) = — - 
1 m) V2 



\ 



(4.39) 



V J 



respectively 

Bob's reduced density matrices (RDMs) are calculated from |\l/)(\l/| by trac- 
ing out Eve's particle. This operation is usually denoted by 



^ = Tr s [|*)<*|] 



(4.40) 



where the full formula is given by eq. (5.19) in [|6| (p nm = T,^ Pnv, mf i$nv 
HuPn^my)- We denote this operation by 



p B = Tr E (!*><*|)/ 



(4.41) 



where the two-dimensional 5^ w is written as /. From Bob's matrices we find 
the error rate, that is, the probability p e that he recognizes a wrong bit value. 
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Calculating Eve's density matrix is more tricky; we need to take into account 
the additional information she obtains from the classical data, in order to obtain 
an information-dependent RDMs. This is a trivial task for the four-state scheme 
but a rather confusing task in case of the two-state scheme. 

In case of the four-state scheme Bob measures his particle in one of the basis 
x (corresponding to m — 0, 2) or y (m = 1, 3). Suppose that Alice and Bob use 
the x basis; Bob's RDMs are 

\ =n 2 7 2 2~v 7/ / 

leading to an error rate p e = sin 2 (7/2) which is the probability that he identifies 
|0 2 ) when |0q) is sent. Eve has the same knowledge of the basis, hence her 
information-dependent RDMs are 

Pe=( * + A^ ? iffcy.) > (4-43) 

\ zn 2 i "T 2 2V 7/ / 

so that x = s J7 z = (c 7 ) 2 , and the relevant angles are 2(3 = 2a = (tan) _1 (s 7 /c 7 2 ) 
(using the first type of bounds). For a small angle 7 we get p e ~ 7 2 /4 + 0(7 4 ), 
(3 ~ 7/2 + 0(7 3 ), and thus p e ~ (3 2 + 0((3 A ). The information is thus bounded 

by 

I(n,p e )<C(n)(4 Pe y n+1 ^ (4.44) 

to be exponentially small [using ( [4.261) 1- 



It is interesting to note that this spin-exchange attack against the four-state 
scheme provides the optimal information vs. disturbance for individual attacks. 
This can be easily seen by calculating ^2(7) from p E and then by comparing 



h(Pe) to the optimal result calculated recently in |50| . As a result, this attack 
also provides the maximal possible 'distance' between Eve's possible density 
matrices (on the Poincare sphere) for a given error rate. Thus, with some more 
work, it is possible to obtain a bound on Eve's optimal information on the final 
key using any symmetric collective attack (on the four-state scheme) which uses 
probes in 2 dimensions. This interesting result was obtained only while adding 
final corrections to this thesis, and thus, it shall be explicitly shown in a future 
review paper on the security issue, but not in this thesis. 
In case of the two-state scheme Bob's RDMs are 

Pb = ( {Ce? 1 {Sd)2{S " ? *T*% ) ■ (4.45) 

^ ±c 9 s 9 c^ (s e ) 2 (c 7 ) 2 J 

Bob chooses one of two possible measurements, M _»i or Mi^q, with equal 
probability Po^i — Pi^o — 1/2; In case of M ^i, Bob measures the received 
state to distinguish O from its orthogonal state <po and finds a conclusive result 
'1' whenever he gets <po . (The conclusive result '0' is obtained by interchanging 
and 1 in the above). The error rate is the probability of identifying <f) p ' when 
(f) p is sent, and it is 

Pe = (^) 2 (c,) 2 [l - c 7 ] 2 + (se)\s,) 2 . (4.46) 
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To obtain Eve's density matrices one must take into account all the infor- 
mation she possibly has. If one ignores the classical information and calculates 
the standard RDMs (as in ||5l|), then the result is of significant importance to 



quantum information, while it is less relevant to quantum cryptography Re- 
call that Bob keeps only particles identified conclusively (as either O ' or <pi)\ 
Bob informs Alice - - and thus Eve - - which they are, and, as a result, Eve 
knows that Bob received either O ' or <Pi i n his measurement, and not <f) or 
(pi. This fact influences her density matrices, and these are not given anymore 
by the simple tracing formula pe = Tr s (|\1/)(\1'|)/ . In general, information 

dependent RDMs are obtained by replacing I by any other positive operator A: 



p E = Tr B (|*><*|)i 



(4.47) 



(This is a rather obvious conclusion from the discussions prior to eq. (5.19) and 



also from page 289 in Section 9 in |8q|); The correctness of this technique can 
easily be verified. In our case 



Pe = Tr f 



(WWX^oOM + ^iWI) 



(4.48) 



where the halves result from po^i an d Pi-,o- This tracing technique leads to 



Pe 



[se)\c e f + (s ) 2 (cg) 2 (c,) 2 ±c e {s e fs. 



After normalization we get 



±cg{s e ys~ 



x = 2s 1 c e (sg) 3 /Trp E 



foOW 



and 



1+z 1 - z 



[{c e ) 2 {sg) 2 [l + (c 7 ) 2 ] - ( S g) 



2 ]/Trpi 



(4.49) 



(4.50) 



(4.51) 



The relevant angles are again 2(3 = 2a = tan 1 (x/ z). For small angle 7 we get 
p e w s e 4 7 2 + 0(7 4 ), 2/3 w (sg/cg)^ + 0(7 3 ). Finally we get 



from which we find 



Pe ^(sg) 2 (cg) 2 (2(3) 2 + 0((3 i ) 
/ V \ («+l)/4 

I(p e ,n)<C{n)(^-) 

\SgCgJ 



(4.52) 

(4.53) 



with C(n) as before. 

From the dependence on p( n+1 )/ 4 (that is, from p e w (3 2 ) one might get 
the wrong impression that this attack is much worse to Eve than the EHPP 
attack [see ( [4.27[ ) where p e ~ a 4 }. This is indeed the case since the EHPP 
attack is especially designed to attack the two-state scheme. However, Alice 
and Bob can easily overcome this problem if they use other (additional) states 
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in the protocol. Such additional states are used only for error estimation and 
are much more sensitive to the EHPP attack. For instance, if Alice sends the 
additional state Lj to Bob, then Bob's RDM is 



2, ,2 



(4.54) 



as a result of the EHPP transformation (|2.3| ). The induced error rate is 

f^V « taQ 2 0a 2 (455) 

or 

proving that p e ~ a 2 as in the attacks presented in this section (actually, Alice 
and Bob could even identify that Eve is performing an attack specially designed 
against the two-state scheme if p e is so much different for different states). Thus, 
if Alice and Bob use such verification states, Eve must take this into account 
and decrease a in an appropriate way. As a result of the existence of such 
unique attacks against the two states of the two-state scheme, and the recent 
proof that the optimal attack on the four-state scheme also yields p e ~ (3 2 [|5(J 
it is quite clear that it is better to abandon the two-state scheme as it is today 
and to modify it as we just suggested. Whether the modified two-state scheme 
still deserves being called a two-state scheme is a matter of taste, but clearly it 
loses one of its main advantages over the four-state scheme, namely using two 
states instead of four for secure transmission. 



4.4 Security Against Non- Symmetric Collective 
Attacks 

While writing this thesis we extended the previous result a bit further, analyzing 
also a typical example of a non-symmetric collective attack. These results are 
yet partial, but due to their importance, we prefer to add them in an incomplete 
form rather than to ignore them. 

In this section we present the gate of weak measurement and use it to per- 
form a non-symmetric attack on the four-state scheme. This attack generalized 



the simple attack presented in Section |1.4j, where Eve performed standard mea- 



surements in one of the two basis. In the original attack Eve can only attack 
a small potion of the particles, rj, or else she induces too much noise. Using 
the weak measurement gate presented here, she can attack all particles (for any 
permitted error rate). 

A gate for standard measurement performs the transformation 

11 f A - ( l 'fA { V fA («6) 
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We generalize this gate to 



'sU/aL 



' cos 7 \ / 1/V2 \ 
,±sin T J B V±l/V2j B 



(4.57) 



which yields the previous gate for 7 = 7r/4 and yields a weak measurement gate 
for small 7. This unitary transformation stands for a weak measurement in the 
x basis. 

Let us apply the unitary transformation to f ) and f 1 



t 1 \ 





V y 



( c 7 \ 



\ Sy J 



( \ 

1 



V y 



t ° \ 



V ; 



(4.58) 



This unitary transformation can be chosen as: 
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— s 



7 



c 



V s 7 
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(4.59) 



/ 



Applying this (x basis) weak measurement transformation to \(f> p ) and \4> m ) we 
get 



±s e 





V 



I c-fCe \ 

±C 7 Se 

±s 7 se 
V s^c e J 
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I l \ 

i m 




f ^ \ 

i m c 7 


71 




V j 




V s 7 / 



(4.60) 



One can verify that for 7 = 7r/4 and m = 0, 2 this is the standard measurement 
gate (in the x basis) we started with. 

When Eve applies this transformation onto the two-state scheme as above, 
she actually applies another symmetric collective attack. However, when Eve 
applies this gate to attack the four-state scheme by choosing randomly in which 
basis (x or y, in our case) to measure^], she applies a very enlightening example 
of a non-symmetric collective attack. 

We consider the case where Eve performs a weak measurement in the x 
direction. If Alice and Bob also use the x basis Eve induces no errors and the 
angle for her probe is a = 7. If they use the y basis the reduced density matrices 
in Bob's hands are 



f>B 



leading to an error rate p e 




=F 



2 C2 7 
1 



(4.61) 



The average error rate is thus, p e 



(sin 7)/2, and this bounds 7 to be small. For small angles 7 = y/2p e 



1 The gate presented above can be easily generalized to give a weak measurement in any 
other direction. 
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Eve has the same knowledge of the basis, hence her information-dependent 
RDMs are 

^=(*i M ,J K) ). (4.62) 

These RDM's are independent of the state sent by Alice. Thus, Eve's density 
matrix provides no information at all. 

Although Eve's average information on each bit does not differ much from 
the previous example (using the spin-exchange gate), her average information 
on the parity bit is much reduced. In most cases it is exactly zero since the 
probability that Eve guesses the basis of all the bits in an rz-bit string correctly is 
2~ n . Even when she does guess it correctly, her information is still exponentially 
small 

/<C(n)(8j9 e ) (n+1)/4 , (4.63) 

but larger than the information Eve obtains using the spin-exchange gate by 
a factor of 2^ n+1 ^ 4 . On average, her information is reduced by a factor of 
2[(n+i)/4]-n w 2- 3n / 4 compared to that symmetric attack. 

To gain a better comparison, one should calculate Eve's information in a 
symmetric collective attack using a weak measurement in the Breidbart basis 
(the basis symmetric to the x and the y bases), or even better --to calculate 
Eve's information in a non-symmetric attacks where Eve measures in some 
chosen angle from the Breidbart basis. 



4.5 Security Against Any Collective Attack 



We have seen simple symmetric collective attacks in Section [4.3| . The informa- 
tion available to Eve when she performs any other symmetric collective attack 
with two-dimensional probes can also be calculated using our method. In par- 
ticular, when the optimal attack of that type will be found, our method can be 
used to prove security against it; For small enough error rate Eve's probes must 
have small angles between them, and thus, our proof can be applied using the 
first type of bounds (Fig. 4.1a). 

The second type of bounds (Fig. 4.1b) is usually irrelevant when the attack 
is given (since Eve's initial state is usually in a pure state), but it can be 
very useful for finding the optimal attack, requiring only to find the maximal 
'distance', 2x, between the two possible states of the probe. For the attacks on 



the two-state scheme the optimal distance can be found as in |51| . Note that 
it will not provide the optimal attack, but it shall provide a bound on Eve's 
optimal information. For the attacks on the four-states scheme we can already 
perform the calculation as previously explained, and shall do it very soon. 

More general collective attacks can use non-symmetric translucent attacks 
and/or can use probes in higher dimensions in the first step of the collective 
attack. Methods similar to ours can be used for proving security against various 



non-symmetric collective attacks (in 2 dimensions), as is done in Section |4~4 . 
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But the calculation becomes more complicated, and we are not sure if all cases 
can be solved. However, the case solved in the previous section provides some 
intuition why non-symmetric attacks are not good for Eve. 

Our bounds cannot be used when Eve uses higher dimensional probes. On 
one hand, the two possible states of each probe in this case are still highly 
overlapping, and the same intuition which holds in our work shall still hold. 
However, extending the information bounds we found to three or four dimen- 
sions might be a difficult task since there no simple geometrical representations 
as for two dimensions. Note that analysis of dimensions higher than four is not 
required since they cannot help the attacker due to reasons shown in |51 . 
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Chapter 5 

Quantum Networks for 
Quantum Cryptography 



Quantum correlations between two particles show non-classical properties which 
can be used for providing secure transmission of information. In this chapter 
we present a quantum cryptographic system, in which users store particles in a 
transmission center, where their quantum states are preserved using quantum 
memories. Correlations between the particles stored by two users are created 
upon request by projecting their product state onto a fully entangled state. Our 
system secures communication between any pair of users who have particles 
in the same center. Unlike other quantum cryptographic systems, it can work 
without quantum channels and is suitable for building a quantum cryptographic 
network. We also present a modified system with many centers. This part was 
done together with Eli Biham and Bruno Huttner [TJ5| . 



The new developments in quantum computation started a wide surge of in- 
terest in the field of quantum computing gates and devices. However, building 
such computing devices is a difficult task, and quantum computing is only doing 
its first experimental steps. The building blocks of future quantum computers 



are one-bit and two-bit quantum logical gates p6|, O, 0, RTJ, which are currently 



under intensive development [[33|, |103| , |82fl . Building quantum computing devices 



to factor large numbers does not seem to be practical in the foreseeable future 
since it requires combining many one-bit and two-bit gates. However, a single 
two-bit gate also have intriguing uses in information processing and quantum 
communication such as teleporting a quantum state ||, and dense coding in 
quantum cryptography [TO . We shall show in this chapter that the use of quan- 
tum gates together with quantum memory opens new directions in quantum 
cryptography. Our system may be practical long before quantum computers 
are, hence it provides a short-term application for quantum gates. 

One of the main disadvantages of quantum cryptography is its restriction 
to relatively short channels. This is due to the fact that, in contrast to clas- 
sical channels, a quantum channel cannot use repeaters^] to amplify the signal 

^dn parallel, we investigated this problem as well and find a surprising way of denning 
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without loss of coherence. Currently, working prototypes enable transmission 
to distances of many kilometers (see the general introduction in Chapter [I]). 
Commercial systems may become available in the near future f55|, so that two 
users will be able to communicate securely (if they are not too far). However, 
building quantum cryptographic networks based on the existing schemes^ seems 
to cause severe difficulties (which may even make it impractical): 

1. Quantum communication requires any pair of users to have a common 
quantum channel, or alternatively a center (or a telephone-like switching 
network) connected by quantum channels to all the users, which should 
match any pair of channels upon request; enhancing the security of the cur- 
rent world-wide telephone network (which contains about iV rj 10 9 users 
(telephones) ) using quantum cryptography requires huge investments in 
quantum channels and devices. 

2. Any user must have the financial and technological abilities to operate 
complicated quantum devices. 

3. The keys must be transmitted online, or else one would need to transmit 
0(N 2 ) keys in advance to enable any pairs of users to communicate in 
secrecy. 

4. The network must assure authenticity of the users. 

It is important to have quantum cryptographic networks not suffering from these 
problems. 

In this chapter we suggest a new cryptographic scheme in which users store 
quantum states in quantum memories, kept in a transmission center. Upon 
request from two users, the center uses two-bit gates to project the product 
state of two non correlated particles (one from each user) onto a fully entangled 
state. As a result, the two users can share a secret bit, which is unknown even to 
the center. Our scheme can operate without quantum channels, if the quantum 
states are "programmed" at the center. In that case, the scheme does not suffer 
from the four problems just mentioned, and can operate at any distance. Hence, 
it is especially appropriate for building a quantum cryptographic network of 
many users. Such a system actually shows some of the useful properties of the 
public key cryptosystems, but yet, it doesn't require computation assumptions. 



In Section |5.1| , we present a new two-party quantum cryptographic scheme 
which is a time-reversed EPR-scheme. In Section |5.2| , we present a quantum 
network based on this scheme with the addition of quantum memories. In Sec- 



tion |5.3|, we discuss the possibilities of implementing our scheme in practice. In 



Section |5.4| , we present a more advanced network, based on quantum telepor- 



tation, where users can store their states in different centers and the centers 



quantum repeaters. See Section 6.1.3] and Section 6.3 



For a suggestion of a quantum cryptographic networks based on the existing schemes 
sec pi. 
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teleport states upon request. This network uses quantum channels; however, 
it requires quantum channels only between the centers, so that the 4 problems 



stated above do not arise. In Section |5J| we summarize this chapter 



5.1 A Time- Reversed EPR-Scheme for Quan- 
tum Cryptography 

The first goal of this chapter is to suggest another scheme for quantum cryptog- 
raphy, which we shall call the time-reversed EPR-scheme: in the EPR scheme, 



presented in Section |L4| , a singlet state is prepared and, later on, it is projected 
on the states of the four-state scheme; in our time-reversed EPR-scheme, each 
user prepares one of the four states of the four-state scheme, and, later on, the 
product state is projected upon a basis which includes the singlet state. Let 
both Alice and Bob send one of the four states, | f), | !), | <— ) or | — ►) to a 
third party whom we refer to as the center (the purpose of using this name 
shall be clarified in Section [5.2|) . The center measures their qubits together 
to find whether the two particles are in a singlet state. This can be done by 
measuring the total-spin operator (S to tai) 2 - If the result of the measurement is 
s = 0, then the two particles are projected onto the singlet state. In that case 
Eq. ( |1.25| ) ensures that, if the two spins were prepared along the same axis, then 
they necessarily had opposite values (the projection of the states with identical 
spins on the singlet state is zero). As a result, Bob knows Alice's bit and vice 
versa. However, from Eq. ( |1.25|) , an honest center, who follows the protocol and 
projects onto the singlet state, has absolutely no knowledge on these bits. For 
example, when Alice and Bob both used the vertical axis, the center does not 
know whether Alice had the up state and Bob the down state, or vice versa. If 
the measurement result is s — 1, Alice and Bob cannot infer anything about the 
value of each other's bit, and they discard the transmission. The probability of 
obtaining the singlet state is zero when Alice and Bob sent the same state (e.g., 
1"T), and is half in case they sent opposite states. Taking into account the case 
where Alice and Bob use different axes (which will also be discarded), we find 
that the overall probability to obtain a usable state is only one eighth. 

To create a key with many bits, Alice and Bob send strings of quantum 
states [LI > 8(L + I) qubits) to the center. The center must be able to keep 
them for a while (in case the states do not arrive at the same time from Alice 
and Bob), and then to measure the first pair, the second pair etc. The center 
tells Alice and Bob all cases in which the result of the measurement is a singlet, 
which happens in one fourth of the cases. Alice and Bob then compare their 
axes. When they used the same axis (which happens about half of the time), 
they know that their spins are necessarily opposite, and thus Bob can calculate 
Alice's bits to share a key with her. As in the BB84 scheme and the EPR 
schemes Alice and Bob use the classical discussion channel to estimate the error 
rate. If it is tolerable they perform error correction and privacy amplification, 
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Figure 5.1: Two processes, which we use to prove the security of the protocol. 
In both figures, one particle of each EPR correlated pair (denoted by dashed 
lines) is sent to the center, who performs a Bell measurement. We consider only 
the case where the result of the measurement is a singlet state. The second 
particles are sent to Alice and to Bob respectively, who project them onto the 
BB84 states. In a), the first measurement is done by the center. The particles 
arriving to Alice and Bob are therefore in the singlet state like in the EPR based 
protocol. In b), the first measurement is performed by Alice and Bob. Each 
particle sent to the center is therefore in one of the BB84 states. This is similar 
to our protocol. 

to derive a final L-bit key. 

The security of our protocol derives from the security of the EPR protocol, 
and relies on the fact that the singlet state is the only state for which the 
two spins are anticorrelated both in the S z and in the S x bases. However, as 
explained previously, if the center projects on the singlet state, he does not 
get any information on Alice's and Bob's bits. Therefore, a cheating center 
needs to project onto a different state (possibly entangled with his own system), 
which cannot give perfect anticorrelations along both S z and S x axes. Since the 
center cannot know in advance which basis was used by Alice and by Bob (the 
two density matrices corresponding to using S z or S x are identical), he will 
unavoidably introduce errors, which Alice and Bob shall identify during the 
discussion. 

In fact, in terms of eavesdropping possibilities, our protocol and the EPR 
protocol are equivalent, as we show using the scheme presented in Fig. 5.1. In 
this scheme, two EPR pairs are created, one particle of each pair is sent to the 
center, and the second one to Alice and to Bob. In Fig. 5.1a, the center performs 
a measurement on his two particles first. An honest center, who follows the 
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agreed protocol, projects the particles onto the singlet state. The two particles 
sent to Alice and to Bob are now in the singlet state as well. This is therefore 
equivalent to the EPR scheme. The only difference is that the projection onto 
the singlet state performed by the center succeeds with probability 1/4 only. 
This means that the center will ask to discard 3/4 of the transmission, but 
this does not affect the eavesdropping issue. A cheating center can send to 
Alice and Bob any state he wants, including any desired entanglement with his 
own system, by choosing an appropriate unitary transformation and the correct 
state on which to project his own particles. To show that, we start with the two 
singlet pairs and let the center introduce an ancilla in a state Amt- The state 
of the whole system is: 



$ 



ABC 



klU>-lit»®(IU>-UT>)®>W (5-1) 



The first particle of each singlet pair is sent to Alice and to Bob respectively, 
while the center keeps the second, together with his ancilla. The state &abc 
can thus be rearranged as: 

®ABC = ^ (l TT)AB®| U)c+\ ll)AB®\ TT)<H U)ab®\ lt)c-|4T)AB®| U)c) ®4nit , 

(5-2) 
where the index AB refers to the particles sent to Alice and Bob, and the index 
C refers to the particles kept by the center. The center now applies a unitary 
transformation U to entangle his particles with the ancilla in the following way: 

U$abc = 7 l ( \]])ab®\[[)c®A 1 + \[[) ab ®\]]) c ®A 2 

-I U)ab ® I IT)c ® A 3 - I IT)ab ® I U)c ® A 4 ) , (5.3) 

with Ai any normalized states of the ancilla which are (in general) not orthogonal 
to one another. 

By projecting his state onto if; = a\ [[) c + P\ TT)c - l\ IT)c - $\ Tl)c 
(this projection succeeds with probability 1/4 on average), the center creates 
the state 
i 
^abc = ^ («* I TT)ab <8> Ax + p*\ U) AB ® A 2 + 7 *| U)ab ® A 3 + 5* \ |T)ab ® A 4 ) , 

(5.4) 
which is the most general state the center could create when cheating the EPR 
scheme [0. This demonstrate the equivalence between Fig. 5.1a and the EPR 



scheme. 

In Fig. 5.1b, the first measurement is performed by Alice and Bob, who 
project the particles onto the BB84 states. Therefore, the particles arriving 
at the center are also in the BB84 states, and this scheme is identical to ours. 
Since the relative time of the measurements cannot influence the outcome, all 
these schemes are equivalent. Following the same reasoning, but in two steps 
(first letting only Alice measure before the center) it is also possible to show 
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that the security of the BB84 scheme implies the security of our scheme. Since 
the security of the EPR scheme implies the security of the BB84 scheme ||11|| , 
our proof actually shows that the security of the three schemes is equivalent. 

Using only the total spin measurement, less than one eighth of the qubits 
could be used. A better choice, although possibly more difficult to implement 
in practice, is to measure the Bell operator (defined in [p5| ) whose eigenstates 
(the Bell states) are the singlet state, \|/( _ ) [equation (|1.25|) 1, and the three other 
states: 

$ (+) = \f\ (I TT) + I U» = ]jl (I— > + !--» , (5.5) 

* (+) = \/|(IU) + lit)) = -yf (l<-<- ) - 1— ►» (5-6) 

and 

* h -yfdtt)- u» =^fa«— »>+i-«-» , (5.7) 

where the second expression for each of the Bell states is derived by expanding 
them (as was done for the singlet state) into the (| <— ) , | — ►)) basis. Consider a 
case where Alice and Bob used the same basis. According to the result of the 
measurement, and to the choice of axes by Alice and Bob, their prepared states 
are known to be either correlated (e.g. if the result is $ ( ~) and they both used 
the z axis), or anticorrelated (e.g. if the result is still $(~) but they both used 
the x axis). 

The protocol is: 

• The center retrieves the particles from Alice and Bob and measures the 
Bell operator on each pair. He gets one of the four above states, and tells 
his result to Alice and Bob. 

• Alice and Bob tell each other the axis they used (but not the bit value). 
When they used different axes, they discard the transmission. Whenever 
they used the same axis, they know if their bits are correlated or anti- 
correlated. In this case half of the quantum states are used to derive the 
desired key, and L' > 2(L + I) qubits are required. 

The proof of security for this case is similar to the proof in the singlet 
case. An honest center, who projects the states onto the allowed states, cannot 
get any information on the bits. For example, if the center obtains the state 
$' + \ and Alice and Bob announce later that they used the horizontal axis, 
the center only knows that either both Alice and Bob have the left state, or 
both have the right state. But he cannot know which of these two possibilities 
occurred, hence has no information on the bit values. Moreover, similarly to 
the singlet case, $( + ) is the only state for which Alice's and Bob's states have 
such correlations along both x and z axes. Therefore, for each bit on which a 
cheating center attempts to eavesdrop, he needs to create a different state in 
order to gain information, which shall be detected with finite probability. By 
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checking a large number of bits, Alice and Bob will therefore detect the cheating 
with probability exponentially close to one. 

5.2 A Quantum Cryptographic Network 

In this section we combine the reversed EPR scheme and the use of quantum 
memories into a classical network to present a quantum cryptographic network. 
The classical protocol for a network uses a hidden file managed by a communi- 
cation center. Any user is permitted to put data (secret keys) in the file, under 
his name, but only the center has access to the data. Let there be N users, 
and let each of them store many L-bits strings. Upon request from two users, 
the center uses their data and creates a secret key for them, which is shared by 
both of them: the center calculates the XOR of one string of the first user (say, 
ai ... ax of Alice), and one string of the second user (say, b± . . . b^ of Bob); the 
XOR of a string is calculated bit by bit using Cj = a,j © bj (the parity of the 
two bits), and the resulting string, C — c\ . . . cl, is transmitted (via a classical 
unprotected channel) to Alice; Alice rederives Bob's string by calculating the 
XOR of her string with the received string, and can use Bob's string as their 
common key. Secure transmissions from each user to the center can be done ei- 
ther by personal delivery, trusted couriers or quantum key distribution. Such a 
classical key distribution scheme is perfectly secure if we assume that the center 
holding them is perfectly safe and trusted. No other person (except the center) 
can have any information on their key. Even a powerful eavesdropper who can 
impersonate the center and all the users cannot eavesdrop, since the center and 
each of the legitimate users can use some of the secret bits for authenticating 
each other. Alice and Bob need to trust the center for two different purposes: 

1. To "forget" their secret key (and not trying to listen to the messages 
transmitted using the key); 

2. To authenticate one to the other in case they have no other way of au- 
thentication. This is a new possibility of authentication, added to the 



two options, previously mentioned in Section |5.1| . Thus the assumption 
of having classical channels which cannot be modified can be completely 
removed, even if the users have no other way to authenticate each other. 

The main reason why this simple scheme is not satisfactory in practice is that it 
concentrates too much power in the distribution center. Indeed the center can 
understand all the secret communications going through its distribution web, 
or connect Alice to an adversary instead of to Bob. Even if we assume that 
the center is trusted, any eavesdropper who manages to get access to it could 
decipher all the communications. 

Using a quantum memory instead of a classical memory is the key-point in 
deriving the quantum network. We now present a quantum key distribution 
network which uses a quantum file instead of the classical hidden file, and re- 
moves the requirement of a trusted center. Alternatively, we can release the 
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usual assumption of quantum cryptography || - that classical channels cannot 
be modified by Eve - if we are willing to trust the center for authentication 
(without trusting him for "forgetting" their qubits). Instead of storing L classi- 
cal bits to make a future key, each user shall store V quantum states (qubits) in 
specially devised quantum memories kept in a center. Upon request from two 
users, the center performs the time reversed EPR scheme described in the pre- 
vious Section and creates correlations between the bits. The resulting string C, 
which holds the correlation data is sent to Alice and Bob via a classical channel. 
As in the classical case, using string C, Alice can calculate Bob's string to derive 
a final common key of L bits. If Alice and Bob compare bases after deriving 



the data from the center, then, as explained in Section |5.1| , any attempt by the 
center to obtain the value of these bits will create errors and be discovered by 
Alice and Bob. The center therefore does not need to be trusted anymore. Un- 
like other quantum schemes, the actual (online) distribution of the secret keys 
is performed on classical channels. First, the center let Alice and Bob know 
the state he got. Then, Alice and Bob continue as in the other two schemes 
previously described to obtain the final key. All the quantum communication is 
done in advance, when the users "deposit" their quantum strings in the center 
(preferably in a personal meeting). 

When L-bit strings are stored in a classical hidden file, two users derive L-bit 
strings of correlated bits. Using quantum states for representing the bits, longer 
strings of length V > L + I are required, since some bits will be used for error 
estimation, error correction and privacy amplification. The exact ratio depends 
on the expected error rate in the channel. Only the bits which are encoded 
in the same basis by both users can be used, therefore V > 2(L + 1) bits are 
actually required (we assume that the more efficient scheme of measuring the 
Bell basis is used). 

Let us summarize the protocol as follows: 

• In the preparation step the user sends (gives) L'-qubit strings to the center, 
each qubit is one of the four states of the BB84 protocol. The center 
keeps these quantum states in a quantum file without measuring them. 
It is important that the system used for keeping the quantum states will 
preserve them for a long time (as long as required until the actual key 
distribution is performed). 

• When Alice and Bob wish to obtain a common secret key, they ask the 
center to create correlations between two strings, one of Alice and one of 
Bob. The center performs the Bell operator measurement on each pair of 
qubits, which projects them onto one of the Bell states, and tells Alice and 
Bob the result he obtained. After Alice gets the results from the center 
(and not before that), Alice and Bob compare the basis they used and 
keep only the bits for which they used the same basis. In this case, and 
according to the state obtained, the states of Alice and Bob are either 
correlated or anticorrelated. So, Alice for example inverts all her bits 
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which should be anticorrelated with Bob's. The remaining string should 
be identical with Bob's, apart from possible errors. 

• An honest center, who performed the correct projections on the Bell states 
does not get any information on the string. 

• A cheating center (or any other eavesdropper who might have had ac- 
cess to the quantum files), who modifies the allowed states, unavoidably 
introduces errors between the two strings. 

• Alice and Bob perform error estimation, error correction and privacy am- 
plification to derive a final key. 

The quantum channel is used only as a preparation step between each user 
and the center, and all the online communication is done via a classical channel. 
Yet, only O(N) keys are required to enable secret communication between any 
pair of the TV users. The conventional quantum key distribution schemes require 
0(N 2 ) keys, or else require online quantum communication. In fact, our scheme 
does not require quantum channels at all. As in old implementations of quantum 
cryptography J7j, the four quantum states can be chosen in any 2-dimensional 
Hilbert space. Instead of sending them, each user could arrive once in a while 
to the center, and "program" his states into the quantum file. If the memory 
can keep the states unperturbed long enough then each user can put as many 
strings as he needs till his next visit to the center. By using personal delivery 
of the quantum states we replace the distance limitation of all other schemes 
by a time limit, and solve the problems of a quantum cryptographic network 
which were described in the introduction to this chapter. All the technologically 
difficult steps, such as storing qubits and performing Bell measurements occur 
only at the center. 

5.3 Implementations 

Our scheme requires the possibility to program, store and manipulate quantum 
bits rather than to transmit them. Therefore, the discussion in Section |1.5| 
perfectly applies to our demands. In our case the quantum bits are subjected 
only once to a unitary operation of calculating the Bell state. 

We estimate?] that it may be possible to implement a working prototype of 
our scheme within a few years, with small modifications of existing technology 
of ion traps. Such a prototype shall be able to keep quantum states of several 
users for a few minutes and to allow to perform two-bit operations on qubits 
of two users. To do so, the center should hold L' ion traps, and each of the 
two (or more) users puts one qubit in each ion trap. Upon request of two users 
the center shall be able to measure the z'th qubit of Alice and the i'th qubit of 
Bob together in the i'ih ion trap. It may well be that such a prototype will not 



3 The following suggestions were investigated with the help of D. DiVincenzo [)42| . 
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enable an operation on the qubits of other users, since the state of the other 
qubits in the ion trap might be destroyed. 

The way to establish a real working scheme with a center and with many 
users is still long. The main obstacle is that it is currently infeasible to transfer 
a quantum state from one ion trap to another. A real network should enable 
each user to program his string of quantum states in a register (say, at least 
one separated ion trap for each user). Then, upon request of two users, the 
center should be able to move one qubit of each of the two users to another 
ion trap where he can perform the Bell measurement without disturbing the 



other quantum states. As discussed in Section [L5t this might be possible using 
'cavitraps' but it is difficult to estimate now whether it will become practical in 
a few years. It may well be that other candidates based on nuclear spins will 
become more favorable. 



5.4 World-Wide Network of Many Centers 



The network of Section |5.2| is well suited for communication among users who 
are not far away and can arrive to the center. For two users who are far away 
from each other and cannot come to the same center our network may not be 
appropriate. We now show that it can be modified to be useful also in this case. 
Let there be many centers, and many users registered in each center. Every two 
centers should share many EPR singlet pairs. Upon request of users of the two 
centers, one center would teleport || the qubits of his user to the other center. 
This operation can be done with 100% efficiency (but it may, however, increase 
the error rate). The singlet pairs can be transmitted using any quantum cryp- 
tography scheme or even using a teleportation scheme and a supercenter who 
shares EPR pairs with all centers. However, the transmission and distribution 
of singlet pairs require quantum channels even if done in advance?]. 

Do we lose all the benefits we gained before? Certainly not. Still, only the 
centers need to have ability of performing quantum operations. All quantum 
transmission is done in advance, and yet, there is no need for 0(N 2 ) strings, 
since the number of centers is much smaller than the number of users. Authen- 
tication is still simple. One problem of any quantum channel is the limit on its 
length. Our first scheme (with one center) replaced it by a limit on time. It 
would be bad to have both problems in a network of many centers. However, 



the suggestion of purifying singlets 12 enables transmitting signals to longer 



distances. Our scheme can make an excellent use of it, since only the centers 
need to have the technological ability of purifying singlets. Moreover, several 
transmission stations can be put in between to improve transmission (this idea 



was suggested by DiVincenzo ||42| ) by performing purification of singlets be- 
tween any two neighboring stations and then use teleportation from one station 
to the next to derive purified singlets shared by the centers. 



4 And transporting quantum states to deliver them by a personal meeting is similar to 
transmitting them through channels. 
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5.5 Summary and Discussion 

In this chapter we introduced a new scheme for quantum cryptography based 
on a time-reversed EPR scheme. We suggested two new types of networks: a 
classical one based on hidden files, and one based on quantum files. The security 
of key distribution protocols in these networks does not rely on computational 
complexity assumptions. Both networks can be used to distribute keys in a 
secure way among any two users using simple online communication via classical 
channels. In the case of hidden files it is done with the help of a trusted center 
who can have access to all the information exchanged through its lines. Using 
quantum files, the center need not be trusted. Users have the means to check 
whether the center, or any other eavesdropper, tried to obtain information on 
the transmitted messages. 

The one-center quantum network we suggested does not require any quantum 
channel at all, and can be implemented in a center where each user "programs" 
his states into a quantum memory. We estimate that a working prototype 
may be built in the near future using ion-trap technology. A real network 
can be built when the problem of transmitting a quantum state from one trap 
to another is solved (perhaps using cavitrap with polarization states). The 
machinery required for our scheme is also required for much more complicated 
tasks such as purification and quantum computing. In this respect, our scheme 
may represent a first practical application for these new devices, which are now 
being planned in various laboratories. We hope that our work will motivate 
more research for systems which can both keep a quantum state for a long time, 
and enable the desired programming and measurements. We didn't pay much 
attention to the delicate problem of programming the states. The programming 
requires a simple equipment to make sure that the center does not eavesdrop 
on the preparation step. While cavitraps are very complicated, programming 
the polarization state of each of the photons may be quite simple in the future. 

A future system of secure communication based on the protocol of Section FT? 



would involve a number of large transmission centers, which can exchange EPR 
correlated particles and store them, together with the qubits deposited at the 
centers by various users. Secure communication between any pair of users would 
then requires teleportation of the states to the same center, followed by the 
creation of correlations between the two strings. 
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Chapter 6 

Quantum Error Correction and 
Quantum Privacy Amplification 



While doing this research, the feasibility of quantum memory was much in- 
creased (at least conceptually) due to the suggestions for quantum error correc- 
tion |95| . Furthermore, additional fascinating applications of quantum memories 
were suggested by other people: 



1. breaking quantum bit commitment |78| 

2. entanglement purification [|E| 

3. quantum privacy amplification B 



The first issue was mentioned in Chapter [I], and we will not discuss it further. 
Let us explain the second issue in brief: Alice and Bob exchange many singlet 
pairs through a noisy channel. Because of the natural noise (or any other 
reason), the resulting entangled states are imperfect. Using an entanglement 
purification process |12| , they can distill (if the initial error rate is not too large) 



nearly perfect singlet states. This is impressive since the purification is done by 
local operations performed at Alice's site and Bob's site, and using only classical 
discussion. 

In this chapter we present our research on quantum error correction and 
quantum privacy amplification. Quantum error correction and quantum privacy 
amplification generalize the analogous classical concepts to the quantum case. 
In the classical case, error correction is useful for improving communication, 
computation and memory, and privacy amplification is useful for cryptography. 
We use the term quantum privacy amplification literally. 

Quantum computation, communication, and memory are very sensitive to 
noise. Unlike the classical cases, errors cannot be removed using simple re- 
dundancy if non-orthogonal quantum states are used, due to the no-cloning 
theorem. Quantum error correction (QEC) was suggested |95| as a way to solve 



these problems by using new type of redundancy. Several schemes have been 
recently suggested to reduce these problems, mainly focusing on quantum com- 



putation, trying to minimize the redundancy. In Section |6.1| we investigate the 
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role of QEC in quantum communication and memory. We focus on the fidelity 
of the the recovered state, an issue ignored by most of the works on this sub- 
ject. To improve the fidelity, we suggest to replace the error-correction codes by 
error-reduction codes, and we analyze the ways to calculate the fidelity. For n, 
a large integer, we suggest a code which uses N = n 2 quantum bits to encode 
one quantum bit, and reduces the error exponentially with n ]81]. Our result 
suggests the possibility of sending quantum states over very long distances, and 
maintaining quantum states for very long times. This part was done with the 
help of Eli Biham, Gilles Brassard, Lior Goldenberg and Lev Vaidman. 

Privacy amplification is an important step in any quantum key distribution 
protocol. While we (and also Yao |109|| and Mayers |76| ) investigated the ef- 



ficiency of classical privacy amplification against a quantum eavesdropper, the 
possibility of using quantum privacy amplification (QPA) instead of classical 



privacy amplification was suggested [38]. Ignoring the problem of practice, this 



idea is very interesting. They suggested to perform a QPA which is based 
upon the entanglement purification (EP) developed in [12]. We call this process 



EP-based QPA, for convenience. In this process Alice and Bob use purified sin- 
glets to execute the EPR scheme or the four-state scheme (via teleportation). 
They can even choose a fixed basis and use orthogonal states, if they previ- 
ously verified that the quantum privacy amplification works to yield the desired 
entanglement purification. The EP-based QPA provides a proof of security of 
quantum key distribution under the assumption that Alice and Bob have per- 
fect devices^ |38| . In Section |0] we criticize the possibility that EP-based QPA 
provides secure quantum key distribution. 

One of the main surprises of the idea of |38| is that, unlike the classical 



case (where error correction and privacy amplification are usually considered 
separately), the suggested QPA process already contains the error correction as 
well! This was a hint that QEC itself could be used for suggesting another QPA 
process. In Section ^]3] we show that QEC codes can also serve for QPA (e.g., 
by encoding the qubits of the four-state scheme), if a simple randomization step 
is applied. 



In the previous chapter and in the literature |TI[ it is usually claimed that 
the EPR scheme provides no significant benefit over the four-state scheme. The 
EP-based QPA suggests a genuinely different quantum key distribution protocol, 
where the use of shared entangled states yields a protocol that has no analogue 
along the lines of the four-state scheme. Our QEC-based QPA shows similar 
features to the EP-based QPA, and it can work with any scheme. Due to the use 
of randomization of the code qubits, Alice could even start with only two known 
orthogonal states, encoded using the QEC code, to execute the key distribution. 
This aspect also presents a similarity to the use of the EP-based QEC. Finally, 
we explain that QPA might still be crucial to the security of quantum key 
distribution over large scale distances or times. This is due to quite different 



reasons from those suggested in |38[ . 



1 The assumption appears on page 2819, col. 1, line 18. 
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6.1 Quantum Error-Correction 

6.1.1 Error- Correction and Error-Reduction 

The ability to correct errors in a quantum bit (qubit) is crucial to the success of 
quantum computing, and it is very important to the implementations of quan- 
tum communication systems and quantum memories. Motivated by quantum 
computing, Shor B3j shows that quantum errors can be corrected (in some anal- 



ogy to classical error correction [73|). The many works which follow Shor's idea 



focus on improving his result |b|, ^7], |98], ^J to better fit the requirements of 
quantum computing, or to provide a better understanding of the properties of 
the error-correction codes (the previous works and also |H| f5| |96|). In this 



section we apply this idea to quantum memories and quantum communication, 
where improving the fidelity of the recovered state is the main goal. The error- 
reduction scheme we suggest here enables, in principle, to reduce the noise in 
a transmission channel or in a quantum memory to any desirable level, while 
using much less qubits than the analogous error- correct ion schemes. 

Classical error correction is based on redundant encoding which uses more 
than one bit (on average) to encode one bit. The simplest scheme is the 1 — ► 3 
repetition code in which each bit is repeated three times in the encoding, and 
a majority vote is chosen for decoding. This code corrects one error, thus if the 
3-bit string suffers from up to one error, the original bit is recovered with perfect 
fidelity. In a realistic analysis one must also take into account the possibility 
of more than one error. For instance, if a single bit contains an error with 
probability p (where we assume that p is small), then pi = L W(l — p) 3 ~ l is the 
probability of having exactly I errors. Thus, the probability of having an error 
in the recovered bit is P = p^ + p% = 3(1 — p)p 2 + p 3 = 3p 2 — 2p 3 . We call the 
probability P of having an error in the recovered bit the remainder error, and 
the fidelity is 1 — P. 

The analogous quantum error correction |95|] uses 9 qubitsQto encode a single 



qubit (to perfectly correct a single error) using the following procedure: a 1 — > 3 
repetition code in the z basis |0) — > |000) and |1) — > |111) (where |000) stands 
for the tensor product |0)|0)|0) of three qubits); a transformation to the x basis 
|0) -> (l/v^XlO) + |1)) and |1) -> (1^/2) (|0) - |1)) for each qubit; and finally, 
again a 1 — > 3 repetition code in the (new) z basis. All together, the encoding 
is: 

|0) -► -=(|000) + |111))(|000) + |111))(|000) + |111)), 



|1) -► _(|000)- |111>)(|000> — |111>)(|000> — 1 111>) . (6.1) 



We denote it as R3UR3 where R n stands for 1 — >■ n repetition code, and U 
for transformation from the z basis to the x basis. From now on, N denotes 
the total number of code qubits which encode one original qubit. In an R n UR n 



Other codes were found later on which use less qubits. 
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code (which is the obvious generalization of the code suggested by Shor) N = n 2 
qubits are used. 

A qubit is described by a two-dimensional Hilbert space (e.g., spin of a spin- 
half particle) and it generalizes the classical bit to the quantum state \ip) = 
a|0) + P\l) with \a\ 2 + |/5| 2 = 1. When it is encoded using R n UR n we get the 
entangled state 

\^)^\^ RV n)=u\n RUR )+P\l RUR ) . (6.2) 

This state is made oi N = n 2 qubits, and lives in a 2^ n ) dimensional Hilbert 
space, with 

|0„»> = ((Tfw) (|0i-"0»> + 111 •••!»» ••• (|0i---0„> + |li...l n » 

|1*»> = (t^w)(I i--- -)- 111 •••!«)) ••• (|0i---0 n )-|l 1 ---l n ))(6.3) 

where there are n multiplets of n bits each. In the decoding process, the dis- 
turbed state is projected on the desirable 2-dimensional subspace spanned by 
the two states \0 RUR ) and \l RUR )- 

An error-correction code is not supposed to correct arbitrary types of errors. 
In all the discussions on quantum error correction transformations of many 
particles together are dismissed since in reality such errors are much smaller 
than errors in individual bits. As a result, the interaction of the qubits can 
be written as a tensor product of the interactions of the individual bits (each 
with an independent environment). We adopt this assumption and refer to it 
as independent disturbance. 

To simplify the analysis even further, usually an additional assumption is 
made, that most of the bits are completely unaffected by the transformations, 
while few bits are strongly affected (and suffer from a bit-flip, a phase-flip or 
bothP]). In such a case, a code provides a perfect fidelity if it can correct at least 
as many bits as were affected. Unfortunately, this assumption is not natural, 
and it contradicts the assumption of independent disturbance which says that 
errors occur independently in any of the qubits. We shall not assume that only 
some qubits are affected. All bits are affected hence a code cannot provide 
perfect fidelity; there is always a remainder error P in the recovered qubit. 

We can estimate the average error rate p for a qubit transmitted through 
the channel, and calculate the remainder error P which results from it. For a 
small p, an error-correction code usually yields a much smaller P. However, 
such an approach is somewhat classical and it is not clear that it provides a 
correct calculation for P. To the best of our knowledge, it is not completely 
proven that the calculation of P can be based upon p, since the qubits are not 
measured separately in the QEC process. 

In the next subsection we shall try to remove this assumption (for a very 
simple case) and follow an alternative approach which is fully quantum. Instead 

3 The analysis in [pi EH] might have shown that resistance against such errors promises 
resistance against any quantum error. We are not fully convinced that this is indeed true. 
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of choosing pasa parameter, we shall choose the "average" transformation^ 
which acts on each qubit. It may even be more realistic to assume that some of 
the transformations are not weak, but we shall be satisfied with analyzing an 
average transformation. Usually it is assumed that it suffices to consider the 
classical probability p instead of the average transformation. 

In this subsection we focus on analyzing the connection between p and P 
for R n codes, assuming that such calculation is relevant to the quantum case of 
R n UR n as well. 

For communication purposes, we are mainly interested in the remainder er- 
ror. It can be reduced if we use longer codes (or more efficient codes) which 
correct more errors. Alternatively, for a given code, it is possible to reduce the 
remainder error if we perform error reduction instead of error correction! Let 
us explain the difference between them (in the classical case). We previously 
presented the classical error- correct ion scheme R3. This code improves the re- 
mainder error (to 3p 2 — 2p 3 ) only on average: it improves it much when no errors 
are found, but it does not improve it when one error is found; in case we know 
that one error was identified and corrected [which happens with probability 
P2 + P1 — 3p 2 (l — p) + 3p(l — p) 2 } the probability of having a remainder error is 
exactly P2/{pi +P2) = P, and we gain no error reduction at all! In case we throw 
away cases were an error is found, instead of correcting it, the remainder error 
is P3/(po + P3) = p 3 /(p 3 + (1 — p) 3 )- For a small p the remainder error is reduced 
from 3p 2 — 2p 3 to p 3 + 3p 4 + O (p 5 ) . The probability of success (the probability of 
not throwing the bit) is Q = po + p^ = 1 — 3p + 0{p 2 ). The possibility of using 
error reduction was already considered in | |104|| , who suggested the n = 2 error 
reduction as an alternative to the n = 3 error correction. The n = 2 (classical) 
error-reduction code provides a remainder error P ?a p 2 + 3p 3 which is better 
than 3p 2 — 2p 3 for a small p. 

In any error-correction code, the remainder error increases with the number 
of corrected errors. If we throw away cases where the scheme suffers from large 
number of errors the average remainder error can be much improved. There- 
fore, in our error-reduction code the majority vote is replaced by a unanimous 
decision; in case of a disagreement the bit is thrown away. The classical (1 — > n) 
repetition code R n with n = 2t + 1 provides successful unanimous decision with 
probability Q = (1 — p) n +p n , and the remainder error in this case is P = p n /Q. 
For a small p 

P«(V^-1 , (6.4) 



1 — p 



and (for a large n) Q is given by 



Q«(l-p)»«l-np+M!_M!... . (6.5) 



For a large n but small np we obtain Q w 1 — np. 



In order to yield a small p the transformation must be close to unity. 
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The same code can also be used to correct up to t errors (since n — 2t + 1), 
but with a much higher (average) remainder error, which can be calculated 
from the binomial expansion of [p + (1 — p)] n . As in the previous example, 
if exactly t errors are identified and corrected, the probability that there were 
actually t + 1 errors (hence, there is a remainder error) is p. If np > 1 (or even 
np ~ 1) and Q becomes too small, error correction and error reduction can be 
combined together for the price of increasing the remainder error P. This is 
done by using a code which can correct up to t errors and use it to correct t! 
errors where < t' < t. The case of t' = reduces to an error-reduction code, 
and the case of t = t' reduces to an error-correction code. For simplicity we 
shall consider only "pure" error-reduction schemes, but our calculations can be 
generalized to combine the correction of few bits as well. 

The quantum error- reduction scheme R2UR2 (suggested in [|104|| ) improves 
the remainder error compared to Shor's scheme, while using only 4 qubits in- 
stead of 9 for the encoding. The error-reduction process is done by projecting 
the state of the code's qubits on a desirable subspace; for instance, in case of the 
R n UR n quantum error-reduction code, it is projected on the subspace spanned 
by the two states of eq. (|6.3|) . If the projection fails, the qubit is not corrected 
but is thrown away. Clearly, this does not complicate the implementation, and 
would probably even simplify it. Unless Q is very small, throwing away the bits 
has only small influence on a quantum key distribution protocol since the legiti- 
mate users throw away most of the bits anyhow due to other reasons. However, 
in quantum computing throwing one bit destroys the computation. 

In a scheme which combines error reduction and t'-errors error correction, 
one has to check into which subspace the state is projected, and if this subspace 
corresponds to t' errors (or less) the state is corrected by simple transformations 

HI). 
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Suppose that the average error rate in a quantum error-reduction scheme is 
p. Following p5| , |104]| and other works on this subject we calculate the classical 



remainder error P (from the analogous classical code) given that errors occur 
with probability p. Let us use the error-reduction code R n UR n with large n. 
This code encodes one qubit into N = n 2 qubits. It reduces the remainder error 

to 

n 

P = - (6 6) 

p n + {l-p) n ' 

that is, to be exponentially with n. More efficient codes could be used as well, 



based, for instance, on |98|, |99|, |27] 



6.1.2 A Realistic Calculation of the Remainder Error in 
a Simple Case 

To the best of our knowledge, a calculation of the remainder error which takes 
into account the fact that each bit is subjected to a transformation was done 



only in pS|. It was done using interaction operators and recovery operators, 
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but only the case where one of the operators is proportional to the identity was 
considered, and it is not clear if it covers all possible transformations. 

For the simple special case of the code R2UR2 we wish to calculate explicitly 
the remainder error P, and the probability of success Q, to verify that they are 
of the same order as P and Q of the classical error reduction code i?2- We cal- 
culate the remainder error without using the classical analogous code. Let each 
qubit in the code be transformed arbitrarily (but independently). In general, 
the transformation is not unitary since an ancilla (e.g., environment) might be 
involved. However, for any given initial state we can still consider unitary trans- 
formations and add the effect of decoherence (non-unitary transformations) by 
averaging over several different unitary transformations with appropriate prob- 
abilities. (We believe that a similar argument is provided in [fUjj). 



For instance, when the weak-measurement gate (eq. [4.59| ) acts on a code 



qubit and an environment qubit in a state Lj Lj, it yields the same RDM (for 
the code qubit) as the average of the two transformations 



and 






ll / 7 • (6-8) 

O ry C"-y / 



The use of unitary transformation provides the order of magnitude of the 
resulting P and Q, for verifying that the frequently used classical analog is not 
strictly wrong. 

Let each qubit j in the code be exposed to the most general one-particle 
transformation 

11 _ ( COs9j sin^e^ \ 

3 l^-sin^e^ cos0e^' +r ^ ) { } 

(up to an irrelevant overall phase), where all angles are smaller than some small 
angle Xi so that p ^ x 2 if a single qubit is measured. 

In the quantum error-reduction process R2UR2 the original qubit is encoded 
into \* RUR ) = a\0 RUR )+(3\l RUR ) with \0 RUR ) = (1/2)(|0000) + |0011) + |1100) + 
|1111» and \1 RUR ) = (1/2)(|0000)-|0011)-|1100) + |1111)). The original state 
is in a 2^ 2 ' = 16 dimensional Hilbert space, and can be written as 



\Vrur) = ^[(a+/3)|0000) + (a-/3)|0011) + (a-/3)|1100) + (a+/3)|llll)]. (6.10) 
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This state is transformed (due to (L/iL^L^KiJOOll), etc.) into: 

/ a + (3 \ ( Xqooo \ 







a — j3 



a — (3 




a + (3 J 



\ a + 



^0001 
^0010 
#0011 
^0101 

3?i ioo 

^1101 
^1110 

V »nii I 



(6.11) 



Using eg = cos 9 and sg = sin 9, the terms are Xoooo = (« + /3)cg 1 cg 2 cg 3 cg 4 + (a — 

[3)c dl Cg 2 Sg 3 Sg 4 6 1 ^ 6 1 ^ + (a-p)sg lS g 2 Cg 3 Cg 4 6^ 6^ + (a+/3) Sg, Sg 2 Sg 3 Sg A 6^ 6^ 6 1 ^ 6 1 ^ , 

etc. In the quantum error-reduction process the state is projected onto the sub- 
space spanned by \0 RUR ) and (l^^). 

Let C = (cos^i • ■ ■ cos #4 cos^i ■ • -cos 04 cosr/i • ■ -cos 7/4), thus, C ~ 1 — 0(x 2 )- 
After a lengthy calculation we obtain the (unnormalized) final state \$ RUR ) 
C 



(?) + o(x 2 



This final state, when normalized, is almost identical to the 
initial state \^/ RUR ), and the corrections are of the type sin^i sin 9 2 ; sinr/ 3 sin 774, 
etc., all of order 0(x 2 ) or smaller. Thus, the remainder error probability is 
indeed 0(\ A ) ~ 0(p 2 ), with probability of success Q ps C 2 « 1 — 0(x 2 ) ~ 
l-0(p). 

This simple example (which is already quite complicated) shows us that the 
classical use of p could be correct. Yet, a more general proof is certainly needed. 



6.1.3 Application to Quantum Communication and Memory 

The main problem of a scheme which performs only error reduction is that, when 
n is increased, the probability of successful projection diminishes as (1— p) n . We 
could combine it with some (small-t') error correction as previously explained, 
but there is also a different solution, which should be preferable in case the 
noise changes in time as 9 ~ wt. In this case, the probability of success can be 
much improved using the Zeno effect (see discussion in | |104j , [30]) by performing 
M projections in between, at equal time steps, reducing p to p/(M 2 ), and Q to 



(1 — ~M^) nM ~ 1 — np/M. The remainder error is also much improved by this 
process. Performing M projections is rather simple when enhancing a quantum 
memory is considered (meaning that it does not add any further complication). 
When transmission to long distances is considered, Alice and Bob need to have 
projection stations between them. We shall explain later in Section |0| that 
(contrary to the common belief) the usage of such repeater stations is possible 
even when used for secure transmission of quantum information (as in quantum 
key distribution). 

Analysis of the effectiveness of this scheme when real devices are used is 
much more complicated and (to our knowledge) is still missing. It might be 
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partially or completely solved if fault-tolerant quantum error correction [£M| is 
used. 



6.2 Quantum Privacy Amplification 

Quantum privacy amplification (QPA) is a scheme for privacy amplification 
which uses quantum gates and memory. 



Purification [12] uses quantum gates and classical communication to distill 
purified singlet states from non-pure singlet states. Suppose that the two non- 
pure singlets are in a tensor product and that Alice and Bob have perfect devices. 
Then, if the purification succeeds, the obtained singlet state have a better fidelity 
than the average fidelity of the two original state. When a supply of such non- 
pure singlets is given, and this process is repeated many times it converges^ to 
provide singlets that are arbitrarily close to being perfect. Thus, purification 
can be used to provide Alice and Bob perfect singlets under these assumptions. 

Recently, a wonderful idea was raised in |J3J to use purification as a QPA for 
the EPR scheme (but it can be useful to any other scheme due to teleportation). 
This paper provides an (almost complete) proof of security of quantum key 
distribution under the assumption that Alice and Bob have perfect devices. It 
also creates the impression that purification based QPA can provide a proof for 
the ultimate security of quantum key distribution. In this section we criticizes 
this possibility. It is based on discussions with Charles Bennett, Eli Biham, 
Gilles Brassard and John Smolin. 

When Eve performs a collective attack, the original pairs are in a tensor 
product with each other, even if entangled with Eve's probes. In this case, and 
with the additional demand that Alice and Bob have perfect devices, this QPA 
provides an easy proof of security. [Yet, it does not provides a calculation of 
Eve's information as a function of the original average fidelity and the number 
of singlets required (which might be exponentially large with some parameter 
if not proven otherwise). Only an incomplete numerical analysis is provided]. 

Altogether, there are three assumptions which make the proof correct and 
complete: (1) Alice and Bob have exponentially large number of particles. (2) 
Alice and Bob have perfect devices. (3) Eve performs a collective attack (this 
results from eq. (9) in 153]). Here, we ignore the efficiency problem, although 



this problem must be solved if one wishes to use the scheme. 

Let us try to remove assumptions (2) and (3) to see whether the purification 
based QPA can provide a proof of security in principle. We conclude that it 
might provide it, but the task might be much more difficult than proving security 
using classical privacy amplification. 

If Alice and Bob have perfect devices but Eve performs a (non-collective) 
joint attack their proof is almost complete: Suppose that Eve knows which pairs 
shall be used at each step (including the pairs which shall be used for verification, 
but not the basis used for each verification) Eve could prepare a state which 

5 If the original singlets are not too far from being pure. 
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yields an error only in certain qubits, since all the transformations are unitary 
(this observation is due to Charles Bennett and John Smolin). Indeed, in this 
case, it is quite clear that randomizing the pairs solves the problem. However, 



an analysis of this attack and a proof of security against it are missing from ]38 
and it is not clear if changing the intuition into a proof is trivial. Note that 
we use a similar randomization argument in Chapter 0, where we provide an 
intuition that randomization makes a collective attack the strongest joint attack. 

The proof in |38| considers noisy channels, but assumes non-realistic perfect 
devices. The case of perfect devices is not of much interest unless the proof can 
be extended to real devices. We analyze both the security against collective 
attacks and against joint attacks. 

If Eve performs a collective attack and Alice and Bob have real devices it is 
still possible to generalize the proof of p8| . On one hand, Alice and Bob cannot 
check whether the purification converges. Perfect devices are required to enable 
Alice and Bob to derive any level of confidence that the remaining pairs are in 
the desired pure state, and quit the protocol if this level is not reached. On the 
other hand, repeating the purification many times and randomizing the pairs 
probably reduces the entanglement with Eve to zero even if the states are not 
purified. It is not clear how to prove security and how to find Eve's information 
as a function of the number of iterations in this case. 

While assuming either perfect devices or collective attacks seems to cause 
problems which are solvable in principle, removing both assumptions might 
leave an unsolvable problem. 

Let the RDM of one such pair be p, and the RDM of all the pairs together 
be x- Also let the state of the entire system (pairs and Eve's probes) be if). 
With p close enough to the desired singlet state |0_)(0_|, Alice and Bob cannot 
distinguish p from the desired state due to their non-perfect devices. Let us 
present various attacks Eve could perform in such a case: 

1. Eve can prepare a joint state \ for the pairs such that the purification 
does not converge due to her special choice of the entanglement of the 
pairs. 

2. Eve can prepare a different state \ for the pairs which is not changed by 
randomization. 

3. Eve could prepare a state ip for the system and her probes, such that she 
obtains information from it. 

Furthermore, consider the following attack: 

• Eve might be able to combine the above three techniques to create a 
situation where purification does not converge, randomization does not 
work, and yet she gets some information on some final bit, or collective 
property of some bits. 
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We were not able to prove that such an attack is impossible. Furthermore, it is 
not even clear how to find an intuitive argument for security in this case. 

Thus the EP-based QPA only provides the possibility for a very restricted 
security proof, assuming either perfect devices or the collective attack. Note that 
improving their proof is an extremely difficult task when we recall that Eve has 
access to all information regarding the purification process, thus can follow the 
changes in the state of her probes throughout the process. Therefore, we believe 
that proving security using the much simpler classical privacy amplification is 
an easier task. 

6.3 Quantum Error Correction as Quantum Pri- 
vacy Amplification 

In this section we suggest another QPA which is based on QEC After read- 
ing the previous section, one may wonder whether QPA (of any type) is still 
interesting. We believe it is, for reasons which are shown at the end of this 
section. 

One of the effects of QPA is error correction. This raises the question of 
whether QEC can serve as QPA. Assuming Alice and Bob have perfect devices 
we suggest the following (simple) QEC-based QPA: Alice prepares M qubits 
that she wishes to send to Bob. She chooses the qubits according to the four- 
state (or the two-state) scheme of quantum cryptography. She encodes each 
qubit using N qubits following any QEC scheme and sends the MN qubits 
to Bob. Bob receives the particles and keeps them in a quantum memory till 
receiving all qubits which encode an original qubit. Since perfect devices are 
used, QEC can reduce a small error rate in a quantum memory or in a quantum 
channel to any desired level due to analysis of the remainder error (apart for 
accumulating many-bits error). 

We can use projection stations to improve this QEC-based QPA much fur- 
ther, due to the Zeno effect. We call them quantum repeaters. When such quan- 
tum repeaters are placed in appropriate predetermined distances, they keep the 
error rate at low levels without reducing security. Note that, when real devices 
are used, the use of fault-tolerant QEC |9(J might still enable reducing the er- 
rors to any desired level (although the use of projection stations becomes more 
subtle) . 

Let us now analyze the case where an eavesdropper attempts to eavesdrop 
on the code qubits. Eve can either get the qubits at some intermediate stage, or 
even control the projection stations used to improve the probability of successful 
projection Q. Indeed, since each such station is only required to perform the 
desired projection, it can even be controlled by the eavesdropper; if Eve tries 
to do anything other than the required projections -- she increases the error 
rate and will be detected. Eve could even control the encoding and decoding 
process of the original qubit. 
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The only assumption required for the success of any error-correction or error- 
reduction scheme is that each code bit is disturbed independently of the others. 
If real noise causes many-particle transformations the scheme will fail, but for 
bits stored or transmitted separately, such effects are expected to be negligible. 
Thus, the legitimate users can use error-reduction schemes to decrease the noise, 
and expect much less errors when comparing a portion of the data. Eve is still 
permitted to do whatever she likes, including creating many-particle coherence. 
She could clearly benefit from performing a coherent attack in this case, but 
she is restricted to induce a much smaller error rate on the original qubit. 

If perfect devices are used, Alice and Bob can reduce the permitted error 
rate exponentially to zero. In case of real devices a proof is still missing. As 
previously said, analyzing this aspect of QPA is rather complicated and we 
believe that a security proof based on classical privacy amplification is simpler. 

If Eve deviates from the protocols and the error rate is larger than expected, 
Alice and Bob quit the transmission. If she deviates from the protocol but 
provides the final state with the permitted error rate, Alice and Bob do not care 
which operations she has done. Then, the permitted small error rate (which is 
verified), promises them that her information is limited as desired. 

The errors due to the frequent projections in a "many-stations" system were 
not considered here. As in the case of a fault-tolerant calculation f96|| , it may 



well be that there is some optimal number of stations M such that a larger 
number of stations causes an increase of the remainder error. Note also that 
some errors are due to the creation and measurement of the code state in the 
labs of Alice and Bob, and for the time being these limit our ability to reduce P. 
We believe that error correction by symmetrization is the right way to handle 
these problems, but we are not aware of works which are showing this. However, 
the main limitations on quantum cryptography are maintaining coherence over 
long distances and long times and these limitations are solved efficiently using 
the scheme we suggest. 

Suppose now that Alice sends the MN qubits in a random order (so that 
Eve will not know which N qubits encode each original qubit). In this case, our 
QPA scheme probably becomes more secure: Without having the knowledge 
regarding the random permutation we conjecture that she could benefit from a 
coherent eavesdropping. Thus, the randomization of the code qubits probably 
improves the QPA. However, as for all other uses of the randomization argument 
there is no proof for this intuition. 

The EP-based and the QEC-based QPA processes do not assure security. 
They only allow Alice and Bob to work with a much lower permitted error 
rate. Even though we do not believe that QPA improves our ability to prove 
security in a direct way, it might still help it in other ways, a) It can be used 
to reduce the error rate very much. Such a reduction might be crucial for 
other security proofs such as the one we presented in Chapters ^| and f|, which 
relies on various approximations of small angles, b) It enables implementing 
quantum cryptography over large scale distances and times since the final error 
rate depends only on the devices' errors and not on the channel/memory's error. 
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When we combine both arguments we see that QPA might be crucial for proving 
security using classical privacy amplification when large scale cryptography is 
performed, by reducing the errors to levels which can be dealt with by the BM 
approach. 
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Chapter 7 
Conclusions 



Quantum memory shall sooner or later become a common tool. In this thesis we 
provided the first thorough analysis of the impacts of using quantum memories 
for both improving quantum cryptography and for attacking it. In the hands 
of an eavesdropper a quantum memory is a crucial tool: without it classical 
privacy amplification provides a proven security of quantum key distribution 
(although an explicit bound is still missing). In this work we provided strong 
evidences that classical privacy amplification still works when Eve holds a quan- 
tum memory, and we suggested a way to establish a full proof. In the hands 
of the legitimate users, a quantum memory provides new ways of establishing 
a network for many users. It also provides the ability to improve large scale 
quantum key distribution. 
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